Thank you, ocicat! Great work.
I suppose I'll need to stand up a Squid+SslBump implementation. Perhaps Squid 'rules' can be applied to the decrypted traffic to validate it as pure HTTP and block / log it otherwise.
I'll post progress on this as it's made.