What about the new tls-host matcher. It is possible to use it in the mangle table to set a routing-mark. So maybe, i'm not tested it, you mark all packets which hits the mangle rule with the netflix and hulu domains and route it through the vpn gateway.
Something like this:
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=443 in-interface=ether2-lan new-routing-mark=vpn passthrough=yes protocol=tcp tls-host=netflix.com
add action=mark-routing chain=prerouting dst-port=443 in-interface=ether2-lan new-routing-mark=vpn passthrough=yes protocol=tcp tls-host=*.netflix.com
add action=mark-routing chain=prerouting dst-port=443 in-interface=ether2-lan new-routing-mark=vpn passthrough=yes protocol=tcp tls-host=*.nflxext.com
add action=mark-routing chain=prerouting dst-port=443 in-interface=ether2-lan new-routing-mark=vpn passthrough=yes protocol=tcp tls-host=*.nflxvideo.net
add action=mark-routing chain=prerouting dst-port=443 in-interface=ether2-lan new-routing-mark=vpn passthrough=yes protocol=tcp tls-host=*.nflxso.net
A possibility where that could fail is, your PC establishes the tcp connection to the netflix server with the 3 way handshake. Next comes the tls handshake and your mangle rule will match and the packets get routed now through the vpn but the netflix server will reject the packets through the vpn because the source ip address changed.