> These signatures can be verified against an origin's certificate to establish that the exchange is authoritative for an origin even if it was transferred over a connection that isn't.

So not possible with TLS (unless you tunnel TLS inside TLS). I can't think of any killer use cases that would (IMO) justify the complexity, but Appendix A does list use cases.