Just updating this thread real quick to bring some closure.
I did finally reverse proxy WAC successfully (it requires that keep-alive is not disabled, and that HTTP/2 is disabled). The hardest part was getting the NTLM authentication to proxy successfully, as it violates HTTP’s conventions of being stateless.
I am not sure what negative side-effects or implications my implementation has, but it works! It effectively does what nginx’s commercial ntlm module does: Module ngx_http_upstream_module
I have a lot of code cleanup to do but will be pushing it once it’s looking good.
More info in this thread: Doesn't work when reverse proxy Windows Admin Center - #41 by matt