See instructions here Full disk encryption, including /boot: Unlocking LUKS devices from GRUB

In addition to the above also create a key-file for the boot system so there should be key-files for both the encrypted devices (partitions)

Also if cryptsetup fails with the device being in use but you have unmounted /boot then try to stop/restart all the namespace mounts listed with lsns -t mnt

To load the kernel manually (seems to be necessary for the time being) and the perform a kexec “reboot”
More details here https://github.com/systemd/systemd/issues/15029

kexec --load --initrd=/initrd.img --reuse-cmdline /vmlinuz
systemctl kexec