Ordering was important:

$ modprobe shiftfs
$ sudo snap set lxd shiftfs.enable=true
$ sudo systemctl restart snap.lxd.daemon
Now it is enabled:
$ lxc info | grep shiftfs                                                                                             
    shiftfs: "true"
$ lxc exec d-testapparmor -- mount | grep shift
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs on / type shiftfs (rw,relatime,passthrough=3)
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs on /snap type shiftfs (rw,relatime,passthrough=3)


And with that I can reproduce the bug:

$ lxc exec d-testapparmor -- aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
$ lxc exec d-testapparmor -- apparmor_parser -r /etc/apparmor.d/sbin.dhclient
AppArmor parser error for /etc/apparmor.d/sbin.dhclient in /etc/apparmor.d/tunables/home at line 25: Could not process include directory '/etc/apparmor.d/tunables/home.d' in 'tunables/home.d'


Installing the host kernel from proposed.
=> 5.0.0.14.15

ubuntu@disco-test-aa-stack:~$ sudo apt install linux-generic linux-headers-generic linux-image-generic
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  linux-headers-5.0.0-14 linux-headers-5.0.0-14-generic linux-image-5.0.0-14-generic linux-modules-5.0.0-14-generic linux-modules-extra-5.0.0-14-generic
Suggested packages:
  fdutils linux-doc-5.0.0 | linux-source-5.0.0 linux-tools
The following NEW packages will be installed:
  linux-headers-5.0.0-14 linux-headers-5.0.0-14-generic linux-image-5.0.0-14-generic linux-modules-5.0.0-14-generic linux-modules-extra-5.0.0-14-generic
The following packages will be upgraded:
  linux-generic linux-headers-generic linux-image-generic
3 upgraded, 5 newly installed, 0 to remove and 8 not upgraded.
Need to get 67.1 MB of archives.
After this operation, 334 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-modules-5.0.0-14-generic amd64 5.0.0-14.15 [13.7 MB]
6% [1 linux-modules-5.0.0-14-generic 4743 kB/13.7 MB 35%]
Get:2 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-image-5.0.0-14-generic amd64 5.0.0-14.15 [8350 kB]
Get:3 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-modules-extra-5.0.0-14-generic amd64 5.0.0-14.15 [33.2 MB]
Get:4 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-generic amd64 5.0.0.14.15 [1860 B]                                                                                    
Get:5 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-image-generic amd64 5.0.0.14.15 [2484 B]                                                                              
Get:6 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-headers-5.0.0-14 all 5.0.0-14.15 [10.7 MB]                                                                            
Get:7 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-headers-5.0.0-14-generic amd64 5.0.0-14.15 [1170 kB]                                                                  
Get:8 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 linux-headers-generic amd64 5.0.0.14.15 [2440 B]                                                                            
Fetched 67.1 MB in 13s (5048 kB/s)                                                                                                                                                           
Selecting previously unselected package linux-modules-5.0.0-14-generic.
(Reading database ... 67632 files and directories currently installed.)
Preparing to unpack .../0-linux-modules-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-modules-5.0.0-14-generic (5.0.0-14.15) ...
Selecting previously unselected package linux-image-5.0.0-14-generic.
Preparing to unpack .../1-linux-image-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-image-5.0.0-14-generic (5.0.0-14.15) ...
Selecting previously unselected package linux-modules-extra-5.0.0-14-generic.
Preparing to unpack .../2-linux-modules-extra-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-modules-extra-5.0.0-14-generic (5.0.0-14.15) ...
Preparing to unpack .../3-linux-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Preparing to unpack .../4-linux-image-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-image-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Selecting previously unselected package linux-headers-5.0.0-14.
Preparing to unpack .../5-linux-headers-5.0.0-14_5.0.0-14.15_all.deb ...
Unpacking linux-headers-5.0.0-14 (5.0.0-14.15) ...
Selecting previously unselected package linux-headers-5.0.0-14-generic.
Preparing to unpack .../6-linux-headers-5.0.0-14-generic_5.0.0-14.15_amd64.deb ...
Unpacking linux-headers-5.0.0-14-generic (5.0.0-14.15) ...
Preparing to unpack .../7-linux-headers-generic_5.0.0.14.15_amd64.deb ...
Unpacking linux-headers-generic (5.0.0.14.15) over (5.0.0.13.14) ...
Setting up linux-headers-5.0.0-14 (5.0.0-14.15) ...
Setting up linux-headers-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-modules-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-headers-generic (5.0.0.14.15) ...
Setting up linux-image-5.0.0-14-generic (5.0.0-14.15) ...
I: /vmlinuz is now a symlink to boot/vmlinuz-5.0.0-14-generic
I: /initrd.img is now a symlink to boot/initrd.img-5.0.0-14-generic
Setting up linux-modules-extra-5.0.0-14-generic (5.0.0-14.15) ...
Setting up linux-image-generic (5.0.0.14.15) ...
Setting up linux-generic (5.0.0.14.15) ...
Processing triggers for linux-image-5.0.0-14-generic (5.0.0-14.15) ...
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-5.0.0-14-generic
cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries 
    nor crypto modules. If that's on purpose, you may want to uninstall the 
    'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs 
    integration and avoid this warning.
/etc/kernel/postinst.d/zz-update-grub:
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/40-force-partuuid.cfg'
Sourcing file `/etc/default/grub.d/50-cloudimg-settings.cfg'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.0.0-14-generic
Found initrd image: /boot/initrd.img-5.0.0-14-generic
Found linux image: /boot/vmlinuz-5.0.0-13-generic
Found initrd image: /boot/initrd.img-5.0.0-13-generic
done



Install worked fine, now rebooting into it.

$ uname -a
Linux disco-test-aa-stack 5.0.0-14-generic #15-Ubuntu SMP Wed Apr 24 15:39:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Still using shiftfs
$ lxc info | grep shiftfs
    shiftfs: "true"
$ lxc exec d-testapparmor -- mount | grep shift
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs on / type shiftfs (rw,relatime,passthrough=3)
/var/snap/lxd/common/lxd/storage-pools/default2/containers/d-testapparmor/rootfs on /snap type shiftfs (rw,relatime,passthrough=3)

Profiles now load ok:
$ lxc exec d-testapparmor -- aa-status
apparmor module is loaded.
27 profiles are loaded.
27 profiles are in enforce mode.

Summarizing - kernel in proposed verified