I eventually worked this one out, and it's actually relatively simple.
The solution is to create 2 services which reference the traefik deployment - i.e.:
# Set different pool names in each service
- name: web
- name: websecure
# Optionally set a specific ip in the pool
# loadBalancerIP: 126.96.36.199
Each service will then redirect traffic from "it's" ip address to the pod, where the IngressRoute can look at the Host etc values as usual.
Note: if you are deploying traefik using Helm then you may want to disable the 'default' service and expressly create both services yourself. You can do this by changing the Helm values.yaml to have:
(Otherwise you will need to update values such as deployment.annotations to match the above).