Append the following to /etc/pve/lxc/<vmid>.conf.
/etc/pve/lxc/<vmid>.conf
features: nesting=1 lxc.apparmor.profile: unconfined lxc.cgroup.devices.allow: a lxc.cap.drop: