Yes, I understand that, but now I see where the confusion is coming from - I do not actuallly use the RAW rules to directly drop the packets (event though I think it should still work, because exactly as you mention it is happening before any Fasttrack processing), I rather set it to only create address-list entries, which I then block using normal Firewall entry. So Fasttrack not seeing the packets from RAW should not be the problem here. And RAW prerouting happening before the connection tracking made me think that it should process the RAW rules first, since Fasttrack comes into play only in the next step.
But as Amm0 pointed out (good catch btw.), Fasttrack is actually disabled in the video tutorial, and this not working has probably something to do with the “specificness” of using the tls-host feature.
Shame that it does not work with Fasttrack, as there does not seem to be any universal way of blocking unwanted websites these days, without disabling Fasttrack, and even then it is not 100% reliable.