Error: "${EMAILS}" is an invalid filename: rejected character: "{" (thunderbird)

I am using Nixos 22.11. with thunderbird in a firejail wrapper.

In configuration.nix i have the following:

  environment.sessionVariables = {
    # TERM = "kitty";
    DOWNLOADS = "\${HOME}/Downloads";
    DOCUMENTS = "\${HOME}/Dokumente";
    MUSIC = "\${HOME}/Speicher/Audio/Musik";
    PICTURES = "\${HOME}/Speicher/Bilder";
    VIDEOS = "\${HOME}/Speicher/Video";
    EMAILS = "\${HOME}/Dokumente/Unterlagen/Emails";
    EDITOR = "emacsclient -nw";
  };

and regarding firejail:

  programs.firejail.enable = true;
  programs.firejail.wrappedBinaries = {

    thunderbird = {
      executable = "${pkgs.lib.getBin pkgs.thunderbird}/bin/thunderbird";
      profile = pkgs.writeText "thunderbird.local" ''
        noblacklist ''${DOWNLOADS}
        whitelist ''${DOWNLOADS}
        noblacklist ''${EMAILS}
        whitelist ''${EMAILS}
        # noblacklist ''${DOCUMENTS}
        # whitelist ''${DOCUMENTS}
        # mkdir ''${HOME}/Dokumente/Unterlagen/Emails
        # noblacklist ''${HOME}/Dokumente/Unterlagen/Emails
        # whitelist ''${HOME}/Dokumente/Unterlagen/Emails
        include thunderbird.profile
      '';
    };

My other firejails programs work as expected but thunderbird is special:

If i whitelist the exact directory of the offline emails, it can’t access them (the 3 last lines commented out).

If i whitelist DOCUMENTS (presently commented out) it works fine, but this gives thunderbird access to more directories than i want to.

If i define EMAILS as a sessionVariable and then whitelist it for thunderbird as in the code i posted, i get

~ ❯ thunderbird
Reading profile /nix/store/hkpvjp170mvxh6rp8zi9snc891w9zdfg-thunderbird.local
Error: "${EMAILS}" is an invalid filename: rejected character: "{"

Why is that? If i run printenv, EMAILS has got the correct value and working with DOWNLOADS and DOCUMENTS works fine. So why is it handled differently?