On further investigation I notice that nslookup also correctly resolves the using the search domains listed under /etc/resolv.conf. Possibly dig and nginx are not using this information?
Anyway I was able to resolve the problem by parsing both nameserver and search out of /etc/resolv.conf such that I could construct the proper fqdn of the render private service.
TL;DR the private service name won’t work, it needs to be the full internal service fqdn. <service_name>.<search_domain>, then it will work. You can find the search domain with