My original pawtucket index.php content-security-policy looks like this
$resp->addHeader("Content-Security-Policy", "script-src 'self' maps.googleapis.com cdn.knightlab.com ajax.googleapis.com 'unsafe-inline' 'unsafe-eval';");
It changed it to include GA
$resp->addHeader("Content-Security-Policy", "script-src 'self' maps.googleapis.com cdn.knightlab.com ajax.googleapis.com tagmanager.google.com www.googletagmanager.com www.google-analytics.com 'unsafe-inline' 'unsafe-eval';");
GA now says my account is active!