The conceit here is that you must be "authorized" in order to write an app that puts the domain in question into the SNI field of a TLS connection that it initiates. I don't think that's reasonable.
It is of course up to Amazon what their servers then do when presented with such a connection, in particular whether they ensure the Host: header later presented matches the SNI data.
It is of course up to Amazon what their servers then do when presented with such a connection, in particular whether they ensure the Host: header later presented matches the SNI data.