What version of SAM are you running?
SAM pre 2018.1 doesn't understand TLS and can't process encrypted websites/files/documents/whatever you want to call it.
It won't even be able to request anything from the server on HTTPS / port 443 as the server expects a TLS encrypted communication but won't receive that from SAM pre 2018.1.
Both CSP and HSTS are just headers sent by the server to tell the browser how it should process client side information.
SAM will ignore both of these.
If you open http://example.com
(i.e. unencrypted plain HTTP) with enabled HSTS it will send a Header in the reply that tells the browser to instead call https://example.com
(i.e. TLS-encrypted HTTPS), but SAM will ignore that header and still process the body of the plain HTTP request (just like any old browser without HSTS support would do).
Usually HSTS is combined with a forced redirect. All requests in plain text on port 80 will only get a redirect to the encrypted HTTPS version as a response and no actual content.
If that is the case, SAM can't process the site at all in versions prior to SAM 2018.1
With CSP regardless of whether you open http://example.com
on Port 80 or https://example.com
If you absolutely must use HTTPS, upgrade to SAM 2018.1 or newer. That functionality isn't present at all in older SAM versions and won't be backported either.