Is my only choice to allow
'unsafe-inline'and defeat the whole point of CSP?
Most likely, yes. Sorry. But there might be a way around it.
If you know exactly what code is going to be injected into your site by the third-party script, you can whitelist that code in your CSP by its hash. For instance, if you knew that the following script would be injected:
you could calculate
> Base64(SHA256('alert("hello world");')) "1tD3lYbOBFeMLrXs+T9Tv9xEgcMsVs032rlMyrYSa0c="
and add the following to your CSP:
Of course, this will immensely bloat the size of your policy if multiple inline scripts are involved, and it won't work at all unless the content of those scripts is absolutely constant. So whether this is viable will depend significantly on your application, and what script you are trying to maintain compatibility with. (It may even change as that script is updated by the vendor…)