Hide clear SNI when using https
It is not possible to hide the SNI information if the server requires it to serve the proper certificate. There was discussion on encrypting this information in TLS 1.3. But this idea was abandoned since this would require establishing an additional encryption layer and thus adding additional overhead to the connection establishment. Apart from that this information might leak anyway due to DNS lookups and of course also through the certificate the server sends, which is in plain too. Thus if you want to better protect your privacy you need to use an additional encryption layer yourself, like a VPN.
For more details see also
- Why do HTTPS requests include the host name in clear text?
- How is HTTPS/SSL able to hide destination website that one is connecting to?
How do I prevent the other end from finding out which website I'm visitting on the server?
(Obviously not by using VPN or proxies.)
You've identified the primary method.
Theoretically, you can send one host name as part of SNI, and a different one in the http Host header. However, Apache at least prevents you from doing this.
You may be able to send the request without SNI.
As long as the target server doesn't have an SSL network applications (e.g. non-decrypting SSL load balancer or reverse proxy) that uses SNI to redirect connections to the right server, and server have a single SAN or wildcard certificate that covers all the services hosted there, the server should be able handle requests without SNI.