Why does this systemd service not run at the right time (loading encryption keys from a network drive which are required for lxc containers)?

In Debian with systemd, I use zfs and lxc. My zfs datasets are encrypted and their keys can be loaded from a network host via my /etc/zfs/zfs-load-key.sh script. My LXC containers are started by lxc.service.

Loading the keys requires the network up and running (otherwise I get the error "no route to host") but lxc.service requires the keys to be loaded.

Sounds trivial, but isn't. I created this file /etc/systemd/system/[email protected]:

[Unit]
Description=Load %I encryption keys from network host
DefaultDependencies=no
Before=zfs-mount.service lxc.service
After=zfs-import.target network-online.target
Requires=zfs-import.target
Wants=network-online.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/zfs/zfs-load-key.sh %I

[Install]
WantedBy=zfs-mount.service lxc.service

and enabled them via:

systemctl enable [email protected]
systemctl enable [email protected]

For for some reason, my LXC containers do not start because the keys were not yet loaded, ALTHOUGH I have Before=... lxc.service!

Why does this service not run at the right time, i.e. after the network is up and before lxc?

How to fix it?