'nonce-value' is not applicable for Blazor WASM because of client side rendering. Nonces should be generated with fresh value each page loading. It's possible on server side only.
Also 'nonce-value' can be used only to allow inline scripts kind of <script>...</script>. But Radzen Blasor code use a lot of other kinds of inline scripts - inline event handlers in tags (you have found part of them) and also javascript:-navigation like href="javascript:void(0)", for example:
RadzenAccordion:
<a @onclick="@((args) => SelectItem(item))" href="javascript:void(0)" role="tab" tabindex="0"
RadzenPager:
<a class="rz-paginator-first rz-paginator-element" href="javascript:void(0)" tabindex="-1" @onclick="@(() => FirstPage())">
There is no way to avoid of using 'unsafe-inline' token, because of 'unsafe-hashes' token designed for these cases, is not supported by Safari.
The best you can do, it's to use the policy:
script-src 'self' 'unsafe-inline'; script-src-elem 'self' 'sha256-...' (all hashes here); script-src-attr 'unsafe-inline';
It will mitigate consequences of 'unsafe-inline' for Chrome browsers - injection of <script>...</script> will be prohibited. Firefox and Safari will follow script-src 'self' 'unsafe-inline' rule.
Also Radzen Blasor code use a lot of style= attributes in tags, therefore you have to use 'unsafe-inline' in style-src directive too.