1👍
From the code snippets, it looks like you are using https://django-csp.readthedocs.io/en/latest/configuration.html package to handle the setting of the CSP directives and that is a great choice for the Django projects.
The most secure scenario would be if you allow loading of the content from the same domain and strictly forbid any other resources, it isn’t practical though. A good enough strategy would be if you allow ‘self’ and only explicit paths like https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/css/bootstrap.min.css. Values like https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/, cdn.jsdelivr.net or https: could raise concerns as they will be allowing a wide range of resources.
In your case data: might be required for the img-src directive or default-src which will act as a fallback in case you don’t have an explicit img-src directive value.
https://csp-evaluator.withgoogle.com/ could give you more security recommendations for your current CSP configuration and specific domains that you are using.