The app needs a build-time var, whereas fly secrets are only available at runtime which is after your app is up and running inside a Fly-managed VM (this is why printenv DATABASE_URL works in that ssh session).
Try supplying Dockerfile those vars via --build-arg switch to fly deploy (ref). You can then assign these ARGs to ENVs in the Dockerfile. As a bonus, env vars set with the ENV directive are also available to the VM at runtime (unless overriden by values from fly secrets, so make sure to unset if there are conflicting keys).