How can I enforce persistent ACLs on startup for /dev/video* devices?

I have a USB webcam on /dev/video0 that I'm trying to access before a user logs in (to be precise, I have an Azure IoT Edge container running on an Ubuntu 18.04 instance that needs to run in headless mode, and the box needs to be able to be power cycled without someone having to physically log in every time).

If I first physically log in on the box, the ACLs are set properly for /dev/video0, and my container (which runs under myuser) can happily access /dev/video0:

myuser@myuser-UBUNTU:~$ sudo getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:myuser:rw-
group::rw-
mask::rw-
other::---

But if I do not physically log in on the box (e.g. right after a reboot), my user's account (myuser) never gets ACL access to /dev/video0 (instead, the gdm user gets it).

myuser@myuser-UBUNTU:~$ sudo getfacl /dev/video0
getfacl: Removing leading '/' from absolute path names
# file: dev/video0
# owner: root
# group: video
user::rw-
user:gdm:rw-
group::rw-
mask::rw-
other::---

I'm 99% sure this is an ACL problem, because when I ssh into the box (before physically logging in), and manually add myuser to the ACL list for /dev/video0, my container can again happily access /dev/video0.

My question: how can I ensure that on startup, when /dev/video0 is mounted, that this automatically happens:

sudo setfacl -m u:myuser:rw /dev/video0

Adding myuser to the video group does not work (ACLs seem broken on Ubuntu in this respect):

sudo usermod -a -G video myuser

I've tried every variation I can possibly think of RE: groups, with no impact. It seems like I really need to automatically add myuser to the ACL for /dev/video0 when Ubuntu starts, but I am unsure how to do that. Any ideas?