the only working solution for us was the following
[Unit]
Description=Hello World Container
After=network-online.target
Wants=network.target
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
TimeoutStartSec=0
Restart=on-failure
ExecStartPre=/bin/podman rm -i -f %N
ExecStartPre=/usr/bin/rm -f %t/%N.pid
ExecStart=/bin/podman run --name %N --conmon-pidfile %t/%N.pid --cgroups disabled --log-driver journald --pull always -d -q hello-world
ExecStop=/bin/podman stop -i -t 10 %N
ExecStopPost=-/bin/podman image prune -f
PIDFile=%t/%N.pid
KillMode=none
Type=forking
[Install]
WantedBy=multi-user.target
this was based on the finding that systemd shuts down the container process in it’s dynamic cgroup that has no dependences first, so the conmon process fails stopping the container when triggered from the unit file