I had to add a route inside the matter-server container, and now everything seems to work:
ip -6 route add <1> via <2> dev eth0 src <3>
Where <1> is the unique local address range used by my Thread devices (fd49:2203:740f::/64), <2> is the link-local IPv6 of my Thread Border Router (fe80:: address of my Apple TV), and <3> is the IPv6 of the container (2001: address of matter-server).
I got <1> and <2> by running
netstat -rn -f inet6 | grep UGc | grep -v default
on a device that correctly accepts routes (as opposed to Synology), and <3> from inside the container using ip addr | grep dynamic.
Note that you have to add
cap_add:
- NET_ADMIN
to the matter-server service in the Docker Compose file to be able to add routes using ip.
Now only to make this persistent and not sensitive to IP changes… 