Since this works

  const style = document.createElement('style')
  style.textContent = `* { font-family: Arial }`
  document.head.appendChild(style)

I'd say the `data:` URL of the font is violating the Content-Security-Policy, which should show an error in the Console.

Their CSP has `default-src 'self'` and has no font-src, so font-src is 'self' too (it would need `data:` as well)