These two directives do not interact, unfortunately. It’s not possible to use them in this way.
You can, however, use filter to embed the Content Security Policy in HTML documents as a HTML meta tag. Meta tags is how I usually prefer to specify CSP for my sites, so they don’t come down in headers on any request - they’re only relevant to clients which open and parse the HTML anyway.