You can simplify. You already got http-to-https redirect on entrypoint and also the X-Forwarded-Proto header is set automatically by Traefik.
Are you sure proxmox-spice-tls with tls: passthrough: true will work? You forward the request encrypted with a Traefik LetsEncrypt TLS cert, but your target service will need access to the TLS cert to decrypt the request.
Tbh I don't really know if that part is being used. I'm just getting started with Traefik so I don't have the complete picture. I just moved from Ngnix Proxy Manager and still getting the hang of it..
This config does work, I can click the "Console" button on my Proxmox instance (while accessing via my proxy subdomain) and it does connect with remote-viewer and I can work with my VM just fine (it's an ubuntu 24.04 install), but I don't really know if the resulting connection is encrypted.