That’s right. HTTP is used to set up the initial handshake/connection (it’s convenient), then it gets switched to a duplex TCP pipe.
You can configure client certificate verification in Caddy, actually. See the client_auth config in the tls directive:
But point taken, probably easier to avoid proxying in this case 