The attacker can't be forced to make a request. In this PoC the attacker disabled their own outgoing image requests.

But that wouldn't help anyway, even if the image could be cached near the sender first, or the signal server prewarmed some other cache. After the victim opened the image, the attacker would see two locations that have the image cached, and could easily deduce which one is the victim's location (e.g. if Signal pre-warmed a random cache, repeating the attack a couple of times would be enough to eliminate the randomness).