Thanks very much for your help. The issue seems to be related to (lack of) privilege in the LXC container. The container was running in the default unprivileged mode which maps uids and gids (in /etc/subuid and /etc/subgid respectively) to uids of the parent host. I've set security.privileged to true on the container, which stops the id mapping, and the authentication via su and ssh succeeds.
This gives me a workaround for now and buys a bit of time to experiment with getting things working in an unprivileged container.