This answer to a similar question on AES-GCM says that using a the hash of the combination of message and key as a nonce (left half bits of counter, as I understand it, for AES-CTR) would be OK, but why even add the key. How is it bad to use the first 64 bits
$$ n = H(m)_{0..63}$$
of the hash $H$ of the message $m$ as a nonce $n$?
... Other than the potential of a hash collision, $H(m_1)=H(m_2)$, which would lead to reuse of the nonce?
.How is it bad to use the first 64 bits $n = H(m)_{0..63}$?
Well, what that would mean is that if the adversary has a guess of the message, he could verify that guess by checking if that message, when hashed, gives the nonce.
We generally want the adversary to gain no information about the plaintext from the ciphertext (except for the length, which is expensive to hide, and so we often don't). Giving him a way to confirm what a guess of the message is (even if it's not perfect, a wrong guess has a $2^{-64}$ probability of being a false hit) contradicts this.
Stirring in a value that the adversary does not know (such as the key) prevents this.
AES-CGM (and the underlying CTR) is designed so that an attacker cannot tell apart the encryption of a message chosen by the attacker from the encryption of a random message of the same length. For decryption, we need to send the nonce. So if $H(m)$ is in the clear, that property of GCM is trivially broken.
Other than the potential of a hash collision, $(_1)=(_2)..$
This makes the issue worse. If $m_1$ is the message chosen by the attacker and $m_2$ is a random message. Collision resistance allows the attacker to easily tell apart encryptions of $m_1$ and a random $m_2$ when the nonce is known.
The approach of generating the nonce from the message is not without merit, though; generating nonces from the message is used in constructions like AES-GCM-SIV and other schemes designed to provide nonce-misuse resistance. A single nonce reuse can be catastrophic for AES-GCM. The difference in the construction in the question is that the nonce is derived using a PRF (a keyed construction such as CMAC or PMAC).
The answer linked in the question highlights that one needs to be careful with tossing in a key for the hash construction. $H(m|k)$ is somewhat better than $H(k|m)$; however, the former can be attacked offline by finding internal collisions.
