There are plenty of good reasons why a customer might want to frame sharepoint content, and the OP wasn't asking for advice on whether this was a good idea or not.
The answer is, use the URL rewrite capability in IIS to rewrite the CSP header. Add server variable RESPONSE_CONTENT_SECURITY_POLICY. Then add a blank outbound rule and give it a name. Create a condition "Server Variable" "RESPONSE_CONTENT_SECURITY_POLICY" "match with regular expression" and value ".*" - i.e., match on any value or a missing value. Then in the action section choose Replace, and put the CSP header value you want.
If you search for "modify response header IIS url rewrite" you'll find a tutorial that explains all this.