Just to let you know @sven.schatter, the following code is now working perfectly:
<Avatar appearance="circle" src="https://secure.gravatar.com/avatar/bd311dd52b9c5d3667b0b34f72959007?d=https%3A%2F%2Favatar-management--avatars.us-west-2.prod.public.atl-paas.net%2Finitials%2FBJ-0.png" size="large" />
Meaning *gravatar.com must have been added to the img-src part of the CSP on the atlassian side - for this to work…