Answering my own question for reference:
TL;DR: Mismatching versions of nmcli (or the whole network-manager package) seem to cause DBus AppArmor denials that are somewhat hard to debug.
I’ve put together two minimal snaps to test if the version mismatch between network-manager's nmcli and my snap’s nmcli from the bionic repos might be the cause. Also installed is the network-manager snap version 1.2.2-22 (rev 379) from stable. Host system is Ubuntu 18.04.5 LTS.
One snap has a core16 base:
name: nmclitest16
base: core16
grade: devel
confinement: strict
apps:
version:
command: nmcli --version
plugs: [network-manager]
test:
command: nmcli c
plugs: [network-manager]
parts:
network-manager:
plugin: nil
stage-packages: [network-manager, libatm1]
Output of the commands:
user@host:~$ nmclitest16.version
nmcli tool, version 1.2.6
user@host:~$ nmclitest16.test
# prints the expected list of connections
The other snap with a core18 base:
name: nmclitest18
base: core18
grade: devel
confinement: strict
apps:
# same as above
parts:
network-manager:
plugin: nil
stage-packages: [network-manager, libatm1, libxtables12]
user@host:~$ nmclitest18.version
nmcli tool, version 1.10.6
user@host:~$ nmclitest18.test
Error: Could not create NMClient object: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.8054" (uid=1000 pid=13488 comm="nmcli c " label="snap.nmclitest18.test (enforce)") interface="org.freedesktop.DBus.ObjectManager" member="GetManagedObjects" error name="(unset)" requested_reply="0" destination=":1.13" (uid=0 pid=1556 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined").
The network-manager snap has a 1.10/{beta, edge} track, but only for amd64, so I can’t test it on my armhf target. Attempting to install this version on my main Ubuntu host err’s out in the post-refresh hook with This snap is only supported on Ubuntu Core 18.