Runtime certificate policy for outbound proxy->backend QUIC links.
Validates the negotiated peer certificate according to backend policy and updates TOFU state.