CSP unsafe-eval error in Livewire 3 (wire:click)

I recently attempted to upgrade an existing production application (Laravel 10) to Laravel 11. During the process, I discovered that upgrading Livewire to version 3 was mandatory. After upgrading from Livewire 2, I encountered an issue where wire:click was throwing errors due to content security policies (CSP) in our application.

Error: Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe...

This issue arises because we use bepsvpt/secure-headers for CSP, and unsafe-eval is set to false in our application. Changing it to true resolves the error, but I understand that this could make the application vulnerable to CSRF attacks (even though we have CSRF protection in Laravel).

I tried various solutions from the web (e.g., using a nonce), but none of them worked. I also found a tweet from Caleb Porzio stating that Livewire 3 currently does not support this CSP case.

I would like to know if there is a solution for this without compromising security. If enabling unsafe-eval is the only option, how can we ensure that the Laravel application remains secure against CSRF and other potential attacks due to this change?