Strict CSP policy, which should allow to load scripts from origin and execute all hashed inline scripts with hashes and SRI and it works (but not for FireFox - throw it out)!
default-src 'self'; script-src 'self' 'sha256-njl7zxiKalRhsBLsWOUobG2Oj/tPLHj1uypL4dOi1K8=' 'sha256-EeTNsJLV3kvLLMz7pxGfvh9u0JY8icKG5KjWnb8IZbQ=' 'sha256-aPK+M1Ic/YyssLh6WKqbat5IIKD6wwh/hyWW5D53D9k=' 'strict-dynamic' 'unsafe-inline';
Tip: Open DevTools on the Console tab
CSP with inline script hashes page