I then changed the match URL to an exact (no wildcards) local IP address (10.***.***.***) which also has a https certificate (which is currently not configured properly). The WebExtension stopped working.
My question: Are WebExtensions not allowed on local IPs? If so, how to allow them?
And another question: Are WebExtensions not allowed on untrusted https sites (where you had to confirm the exception in order to see the page)? If so, how to grant the WebExtension access?
This does not answer my question, but thank you for the reply anyways.
In the meantime i found out some things by myself:
local IPs should work
the behaviour for which URLs are allowed and which not is defined by the Content Security Policy
by default the CSP only allows https, except for Firefox-internal URLs, inline scripts and eval.
the CSP can be changed to some extend by the script (or the surrounding website??) itself (i think it can only be made more restrictive but not less restrictive).
the default CSP can be changed in about:config. There are 2 keys, which I am still reverse engineering.
My issue is probably because my https certificate is not configured properly. I think when Firefox encounters a badly configured certificate (and you add an exception for this site), Firefox distrusts it anyways and treats it like a normal http site. So no scripts/WebExtensions get executed.