At the moment I need to add "https://*.monitor.azure.com" to my script-src allow-list for my content-security-policy to work which i want to avoid. Has anyone modified the JS to add a nonce attribute to the external JS link? I can add one here to allow the inline script fine.

I suggest posting this question here https://github.com/microsoft/ApplicationInsights-JS