I’m not sure where you got the idea of error code 444, that’s a non-standard HTTP status code, only used by nginx.
Caddy’s default behaviour when you configure it with a domain is to not match requests that don’t have that domain in the Host header.
It’s not possible to “block someone manually setting the Host header”, because that is what the browser does when you put the domain in the URL.
Browsers also set the TLS-SNI field in the TLS handshake so that the server can determine which certificate to use to complete the handshake (because the Host header is part of the request payload which is encrypted, otherwise the server would have no way to know which certificate to use for which request).
That’s normal, that means the TLS handshake failed because the browser either couldn’t trust the certificate it was sent from the server, or it didn’t match the hostname it sent in the request (if you made a request with an IP address but the server responds with a certificate for a particular domain and not that IP address, then it fails).
This means that Caddy wasn’t able to resolve the name portainer with Docker’s built-in DNS server to an IP address. I’m not sure why that would happen, but that’s not a problem with Caddy, it’s a problem with your Docker setup.