The prover provides the ciphertext $(A,B) = (r_1G,\ M+r_1P)$ and the Pedersen commitment $C = M + R_2$, where $M=mG$ and $R_2=r_2H$.
The prover also provides the verifier with a simple Schnorr signature for the public key $R_2$ on the generator point $H$, thus proving knowledge of $r_2$:
$(c,s)=(\texttt{hash}(kG),\ k-c\cdot r_2)$, where $k$ is a uniformly random nonce scalar, and $\texttt{hash}$ is a cryptographically secure hash function that returns a scalar value.
Note that the prover does not provide the $R_2$ point, only the signature $(c,s)$.
The verifier decrypts the message:
$M'= B - xA$, where $x$ is the verifier's public key such that $P=xG$
The verifier then uses brute force to recover the value $m'$ such that $M'=m'G$ (since the questioner has explicitly stated that $m$ is a small number).
This proves that $M'$ was created as a multiple of $G$, and that $M'$ is not composite (not created as a multiple of $H$ or by adding a multiple of $H$).
The verifier then calculates $R_2'=C-M'$
The verifier checks the Schnorr signature: $c\overset{?}{=} \texttt{hash}(sH+cR_2')$
If the signature verifies, it proves that $R_2'$ must have been constructed purely as a multiple of $H$, since $r_2'$ such that $R_2=r_2H$ is unknowable if $R_2'$ is composite (was constructed as a multiple of $G$ or by adding a multiple of $G$).
In conclusion, the verifier has been able to decrypt $M'$, and is satisfied that the Pedersen commitment must have also been a commitment to $M'$, because when we subtract $M'$ from the commitment, the result is proven to have been constructed purely as a multiple of $H$.
