XSS

Will 2 Content-Security-Policy headers work correctly?

I have an application that does server rendering. Besides. it is proxied through nginx.
I made the CSP settings in nginx, but the problem is that the application (more precisely, the framework) injects its scripts into the layout, so I need to use a hash that only the application can provide. I set up the CSP headers in the application (regarding script-src) but now I have something like this

Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; media-src 'self'; frame-src 'self'; font-src 'self'; connect-src 'self' ws://node.server; form-action 'self'; manifest-src 'self'
Content-Security-Policy: script-src 'self' 'unsafe-eval' 'sha256-DnpPdT3fUiAk5dgay78q+v3W/A6ccSKg4URdsAI4NvM='

Will this work properly? Does the browser sum these headers?
And another question - how to test everything for correct operation?