I think you’ll want to use the --resolve option of curl for this. The reason its failing is because setting the Host header isn’t enough to have SNI be set for the TLS handshake:
https://hacksbrain.com/2018/08/27/testing-sni-enabled-servers-with-curl/