... people trying to block outbound traffic using SNI, not inbound, and nothing on reverse proxies on mikrotik.
Breaking connection works (as long as SNI is used, HTTP/2 is getting rid of SNI in unencrypted form as we know it today) because connection can be broken at any stage, even when content is already being delivered. But forwarding connection to correct backend server on TCP level (which is what ROS firewall does) has to be done for every single packet and TCP exchanges a few packets before SNI happens.
So no, it's not possible unless one uses proper L7 solution - reverse proxy. Whether it's run on router (inside container) or on dedicated box, that's up to admin.
Just a word of caution: RP will terminate all TLS towards clients ... if backend servers use TLS then it will be independent security sessions between RP and backend server. And terminating TLS means quite a lot of CPU effort to encrypt/decrypt communication (compared to plain HTTP which is easy on server's CPU). I'm sure RBs will be able to do it for a few tens of Mbps (at expense of routing performance!), but not much more. It takes one modern x86-64 CPU core to handle 100Mbps of TLS by HAproxy (so if target is 500Mbps, one needs 5 such cores). Decent amount of RAM comes handy if one configures caching on RP, it can help with slower backends.
IMO better solution is to use one of existing backend servers as RP ... and this even works if other backends are behind other NAT firewalls, RP can connect to non-standard ports (but not needed in OP's case as per topic title).