Important are the whitespaces before 'self'. If there are no whitespaces it will generate a wrong csp policy and Chrome for example shows a warning like this:
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-157452790003100'unsafe-eval''. It will be ignored.
I just realized that you need to write the policy like this in order for the nonce to work:
Important are the whitespaces before 'self'. If there are no whitespaces it will generate a wrong csp policy and Chrome for example shows a warning like this: