Heh - this is why some people employ stunnel and route that over HTTPS so that an outer tunnel can be stripped, but the inner one is less likely to be so. Or a certificate checker that detects the corporate cert instead of the expected client cert. But putty was/is always good for standalone operation and connecting to local ports (i.e. double wrapped stunnel endpoints).
However, you've got to be fairly determined for that, and (as mentioned) it's going to raise question marks
Forcepoint (formerly WebSense) can detect and nobble SSH over HTTPS fairly easily, and also breaks (at least single wrapped) stunnel connections.
Easier ways to get SSH with Traefik are:
a) Install Guacamole & guacd, and set Guacamole up to SSH to your box. You just access Guacamole.
Connection TO Guacamole is pure HTTPS (which may be decrypted) although the onward Guacamole/GUACD connection (on your LAN) can remain encrypted. Put Guacamole behind oAuth and ideally enable 2FA (on both oAuth and/or Guacamole)
b) Install kasmweb-chrome (and hide that behind oAuth as it has only rudimentary security) and use that as a jump box to stuff - or for remote browsing.
Each of the above look like HTTPS and not SSH, because they are.
I have WireGuard behind Traefik, so I am "on LAN" wherever I am, but if WireGuard fails, I can access Guacamole securely and get onto my boxes. Guacamole keeps sessions open as well, so you can close your tabs as necessary and just resume at leisure.
For the other option, setup knockd on your router, so that port 22 (or 443, or other) only open for 30 seconds after the successful knock, then close down. It stops (as much) fingerprinting although doesn't explain connections.
My use case? Accessing home CCTV and my home iLO remotely, in as secure a way as I can concoct