Oops, the fix was actually quite simple: just add the new nvidia-container-toolkit from unstable to the overlay. This allows the new CDI module to use the package.
overlay-unstable = final: prev: {
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
nvidia-container-toolkit = nixpkgs-unstable.legacyPackages.${prev.system}.nvidia-container-toolkit;
};
And with that, my GPU is visible inside the container!
$ sudo podman run --rm --device nvidia.com/gpu=all --security-opt=label=disable ubuntu nvidia-smi -L
GPU 0: NVIDIA GeForce GTX 1660 (UUID: GPU-xxxxx)
Jellyfin sees it too (running as an OCI container), which has been the goal all along 
Thank you for the help, @SergeK!