Upgrade to 1.11.0
Can you please upgrade the package to 1.11.0? This will solve the problem with http2 and "ssl_verify_client optional" used with different subdomains, as you can see in the changelog:
Change: the "421 Misdirected Request" response now used when rejecting requests to a virtual server different from one negotiated during an SSL handshake; this improves interoperability with some HTTP/2 clients when using client certificates.
If this isn't possible in the mainstream, I suggest you add a backport package.
Thanks again for your help.