Doesn't this require configuration at the end user, so you could just as easily ProxyJump or use a different port?

It's a nice solution but I've been looking for something more transparent (getting them to configure an SSH key is already difficult for them). A reverse proxy that selects backend based solely on the SSH key fingerprint would be ideal