22.04 – How to stop updates during online cloudconfig autoinstall

I am trying to deploy a VM using packer and cloud-config autoinstall.
I am using ubuntu-22.04.2-live-server-amd64.iso image which comes with linux kernel 5.15.0-25

During the configuration, kernel version remains the same but after a reboot the kernel version used to get updated to 5.15.0-89(till few weeks earlier) and now to 5.15.0-91.
The problem is I am not able to control this behavior of kernel getting updated to some version.

Due to this I have to recompile my applications.
I am aiming to have a fixed version
Here is the reference to my user-data file for auto install

#cloud-config
autoinstall:
    version: 1
    early-commands:
        # workaround to stop ssh for packer as it thinks it timed out
        - sudo systemctl stop ssh
    packages: [open-vm-tools, openssh-server, curl, wget] 
    network:
        network:
            version: 2
            ethernets:
                ens160:
                    dhcp4: true
    identity:
        hostname: ubuntu-appliance
        username: ubuntu
        password: "$6$rounds=4096$ntlX/dlo6b$HXaLN4RcLIGaEDdQdR2VTYi9pslSeXWL131MqaakqE285Nv0kW9KRontQYivCbycZerUMcjVsuLl2V8bbdadI1"
    ssh:
        install-server: true
        allow-pw: true
        authorized-keys:
            - ssh-rsa   <key>      
    user-data:
        disable_root: false
    late-commands:
        # TBD - this sudoers setup effectively makes the ubuntu user a root user.  Need to tighten that up
        - echo 'ubuntu ALL=(ALL) NOPASSWD:ALL' > /target/etc/sudoers.d/ubuntu
        - curtin in-target --target=/target -- chmod 440 /etc/sudoers.d/ubuntu

So far after reading through the forums & taking reference I tried adding things in
for eg

    #cloud-config
    package_update: false
    package_upgrade: false
    apt:
        curthooks:
          mode: builtin
        geoip: false
        preserve_sources_list: false
        disable_suites: [updates, backports, security, proposed, release, universe, multiverse]

in late commands

    - curtin in-target --target=/target apt-mark hold linux-image-generic
    - curtin in-target --target=/target apt-get update
    - curtin in-target --target=/target apt-get install -y linux-image-5.15.0-89-generic

but so far nothing seems to be working.
I tried to run this also “dpkg-reconfigure unattended-upgrades” but same results.
Kernel gets updated to the latest version.

After reading & taking references I could not achieve it, can someone point out where I am going wrong or what exactly I need to change so that the kernel does not update to latest version or it just update to the version I specified.