This won't work. JoinsNamespaceOf= only has an effect on networking if
you set PrivateNetwork= too. But if you use --network-veth (or the
related options) in nspawn then this means that nspawn will open its
own network namespace anyway, independent from the network namespace
it was invoked from. Hence, if you set PrivateNetwork=1 in your
service, you detach nspawn one level from the host's network
namespace, and then with nspawn's --network-veth your detach the stuf
running inside of the container one level further from the host. You
hence end up with three network namespaces in total: one for host, one
for the nspawn process itself, and a thrid one for the stuff running
inside of the container.
The only way you can do this right now is by not using any of nspawn's
own network namespacing features, but instead use JoinsNamespaceOf= +
PrivateNetwork=1 to let the service set up things, and then use the
"ip" tool to set up what you need before that. But YMMV...

Long story short: we do not cover this nicely at the moment. And I am
not entirely how we should cover it. One option could be to add
--same-network= or so to nspawn which takes another container name and
then runs the container in the exact same network namespace as that
other container.

Lennart

It seems it would be better to refer to the service unit that executed
nspawn, not the container running in the namespace created with
nspawn. This way I can refer to that unit using a stable name. Another
alternative that is even more useful is to allow for any service that
specifies PrivateNetwork= also specify how that network should be
initialized and connected to the outside world using the same options
that are available with nspawn.