Note, my suggested changes to the udev rules assumed you kept the apparmor rules changes. Assuming you made the changes to apparmor, loaded them into the kernel, made the udev changes and called sudo udevadm trigger, then after your snap runs, what:
- is in
/sys/fs/cgroup/devices/snap.<snap>.<command>/devices.list? - is the output of
ls -l /dev/sg0? - is your user in the ‘cdrom’ group?