I had the same problem. I’m sad to say this was the best we have done. We basically identified what we use and don’t use. We even had to put unsafe-eval in some instructions because we were using third party controls that couldn’t work without it. At least we avoid calls to external urls.
default-src 'self';
child-src 'self' 'unsafe-inline' 'unsafe-eval';
object-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com;
img-src 'self' https://www.google-analytics.com;
style-src 'self' 'unsafe-inline'