Can we drop XP from HTTPS support? If not, when?
Depends entirely on specific sites. I suspect that a lot of sites with known audiences have already started dropping support for XP specific fixes - sites dedicated to OSX software, for example, probably get negligible XP using traffic. They may well have decided that they would rather have better security than worry about the few users who use XP.
On the other hand, sites like Facebook probably still see quite a lot of XP users, especially from countries where upgrading computers is prohibitively expensive. Dropping all support would instantly lose those users, which Facebook might not consider worthwhile.
It essentially comes down to a business decision though, rather than a security decision. If your business feels it is worth supporting these users, it will keep doing so. If not, it may drop the support.
For your own site, it's entirely safe to drop XP compatibility features. You might lose some users, but there isn't anything to stop you.
The only way to decide if you are willing to lose the users with XP on your site, is to find out how much of them there are.
Start to collect statistics on that. Then you have something to decide on.
If you decide to increase security and drop XP support, based on that numbers, you can also show big information banners with guides how to install another browser to the people still using XP on your site before you cut them off.
As other said, start by measuring the statistics, the most relevant the better. By relevant I mean "representative for your users", so I'd consider js-based analytics a bit more relevant than webserver log statistics if your site is meant to be used by humans and the reverse if you have some web APIs that you encourage people to use.
Then take those statistics and have a discussion with your superiors if the affected users are worth holding back security fixes. If you have any competitors, see what they did. If in the end they consider these users as being too relevant to drop, try to push for a campaign to make those users upgrade (by detecting their user-agent or negotiated TLS parameters and displaying some warning).
Note that it's basically impossible to detect the user-agent before the TLS handshake (since if their browser isn't able to negotiate a TLS session it will show a client-side error, they won't reach your application), so all these measures should be done before implementing the changes to your TLS listener.