Other thing to look at and test is promiscious mode for the physical nic which your VM/CT will be using.
Not uncommon that this is needed for the kernel filters to not drop the replies.
If this is the case it can be verified that the VM/CT can only ping the physical IP of the host but not reach outside of it.
When doing tcpdump on the host you will see that the VM/CT sends a “arp whohas?” which is sent to the destination, reply then returns from lets say the default gateway but VM/CT never gets it so another second or so later you see another “arp whohas?” for the same IPv4 from the same VM/CT.