Per-port mTLS on the same SNI hostname — supported, or does it require distinct hostnames? (v3.7.4, Kubernetes CRD)

I'm trying to serve one hostname (app.example.com) with different client-cert requirements per port: cert-free on :443 (websecure) for the browser/login routes, and RequireAndVerifyClientCert on a second entrypoint :8443 for a couple of mTLS-only paths. Everything is via the Kubernetes CRD provider (IngressRoute + TLSOption), Traefik v3.7.4.

The config resolves correctly — the API (/api/http/routers) shows each router bound to the option I expect (default on websecure, pilot-mtls on the 8443 entrypoint) — but at runtime Traefik logs Found different TLS options for routers on the same host, so using the default TLS options instead and serves no client-cert request on either port. A verbose TLS trace confirms :8443 never sends a CertificateRequest. I tried it both ways: per-router tls.options, and binding the option at the entrypoint level (--entrypoints.pilot.http.tls.options=...). Same result each time. It only starts requesting the client cert when I give the mTLS routes a distinct hostname that isn't also served on :443.

So my question: is different clientAuth for the same SNI hostname across two entrypoints actually supported, or is the effective TLS option computed per-hostname globally (across entrypoints), making a distinct hostname the only option? If the former, what am I missing — and does a catch-all PathPrefix(/) router on the :443 side (like #10271) interfere with option resolution for the same host on the other entrypoint?