The idea behind CSP based on nonces (as opposed to the "old" approach of using whitelists) is that you add the valid nonce token only to the script directly sourced from your page, and trust propagates to other scripts loaded dynamically by the "loader" script. This way you no longer have to care about what domains the widget uses -- if you trust the initial script, give it a nonce and it will execute, along with the subresources it needs.

Of course you can still have a domain whitelist or use Subresource Integrity if you're loading scripts from potentially untrusted infrastructure. But the nonce-based approach is meant precisely to avoid the "moving target" problem you mentioned.