Connect two bridges only works in one direction

Question

I have a Centos8 host with libvirt (KVM) and podman (1.6) installed.

libvirt brought a bridge called "virbr0" and guests will be attached to with an address from range 192.168.122.0/24. virbr0 itself has 192.168.122.1. Guests can talk to each other, to host, and to internet. So far nothing special...

Besides libvirt we have podman that comes along CNI which in turn provides a bridge called "cni-podman0" and spins up a network with range 10.88.0.0/16.

When I spawn a container (with own net ns), lets say a wordpress instance, I'm able to reach this service from host and from a libvirt guest using containers ip address e.g curl -L 10.88.0.10.

But on the other hand, when I try to reach a libvirt guest from a podman container I always get "curl: (7) Failed to connect to 192.168.122.14 port 8443: Connection refused". (<-No it's not a forgotten firewall setting)

When I use tcpdump I can see that packets won't go further than to container bridge "cni-podman0". (After two "Retransmission" it gives up)

iptables looks just normal to me:

iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 1540 packets, 192K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 75 packets, 6929 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1412 packets, 86218 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
    3   180 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
    0     0 CNI-df70ac6052cc3121e6aed9de  all  --  *      *       10.88.0.16           0.0.0.0/0            /* name: "podman" id: "ae18985e3e1a0905bc04be8021bcacdd61436e682be24c08e2e53b0705baad33" */

Chain OUTPUT (policy ACCEPT 1412 packets, 86218 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain CNI-df70ac6052cc3121e6aed9de (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            10.88.0.0/16         /* name: "podman" id: "ae18985e3e1a0905bc04be8021bcacdd61436e682be24c08e2e53b0705baad33" */
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0           !224.0.0.0/4          /* name: "podman" id: "ae18985e3e1a0905bc04be8021bcacdd61436e682be24c08e2e53b0705baad33" */

...if I got this correct, the last row tells us to snat all traffic that is for targets who do not belong to a multicast address.

Please could someone put me back on the right track. Thank you!