Nothing special, except for inserting this when jlmkr asks for “Additional flags”:
–capability=CAP_NET_ADMIN
When the jail starts, shell into it, then
apt install curl
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up -authkey [your auth key]
It just works. I’m aware that using simple host networking (instead of --network-macvlan or --network-bridge) is frowned upon, but in my specific case - using Tailscale to manage the host itself - it seemed the easiest way.