Have you looked at running wireguard on your server and connecting to it from the pi. Then you have a vpn between server and the pi where you can send data in any protocol
I do this to expose services to the internet in a limited way. Wireguard link between a pi running, say, octoprint, and a vps. Then, the vps is running nginx or caddy as a reverse proxy over that wireguard link, giving me https access and even letting me add basic auth if I want another layer of authentication.
It's a shame that client-certificates is implemented in such a clunky way in most browsers and operating systems, because that could also be an easy way to achieve this even without installing anything.