This is a problem people have been running into for years that hasn’t been addressed in community communication and documentation, not sure why.
The version mismatch is merely a symptom of that: Including Home Manager from Nixpkgs is upside-down, IMHO, because Home Manager is already building on top of some version of Nixpkgs (there are tests and appropriate release branches etc.). So at least for regular Linux distributions, instead I‘d recommend picking the exact Nixpkgs a given Home Manager release uses, and generally thinking of Home Mananager as a standalone application that uses Nixpkgs and Nix underneath, not some nice add-on to Nix or Nixpkgs.
(Practically this means using follows in flakes; stable Nix is currently hosed because there’s no backward compatible interface upstream and one has to do atrocious things such as reading flake.lock.)
This gets slightly more complicated with NixOS, because NixOS is definitely a standalone application on top of Nixpkgs. It so happens that Nixpkgs and NixOS live in the same source tree, such that in practice you can build your NixOS from the Nixpkgs that ships with Home Manager, but that sounds and feels wrong to me. This is why I prefer to keep the two entirely separate.
In both cases you’re left with trusting Home Manager maintainers to stay close to Nixpkgs release branch tips for security patches to reach you timely, or, as you do now, keep Nixpkgs references up to date yourself and absorb the maintenance burden of ensuring compatibility.
There are lengthy discussions around HM and NixOS being separate things to begin with, but reality is messy and it’s not particularly cheap to change the status quo.