How to identify clients when using DNS-over-HTTPS (thru doh-proxy)

I did at least manage to get DoH traffic clearly identified, though DoH clients are still all combined:

1. Start the DoH Proxy on a unique IP; 127.0.1.2:
   /etc/systemd/system/doh-proxy.service

    [Unit]
    Description=DNS over HTTPS server proxy
    After=syslog.target network-online.target
    
    [Service]
    Type=simple
    User=doh-proxy
    ExecStart=/usr/local/bin/doh-proxy --server-address 127.0.0.1:53 --local-bind-address 127.0.1.2:3000 --listen-address 127.0.1.2:3000 --hostname doh-proxy.hole
    Restart=on-failure
    RestartSec=10
    KillMode=process
    
    [Install]
    WantedBy=multi-user.target
   

2. Local DNS entry for the name in /etc/hosts:

    ...
    127.0.1.2       doh-proxy.hole
   

3. Modify lighttpd conf for the proxy to use that new IP:

   /etc/lighttpd/conf-available/20-doh-proxy.conf

    # Load necessary lighttpd modules
    server.modules += ("mod_openssl", "mod_proxy")
   
    # Forward DoH DNS queries to doh-proxy
    proxy.server = ("/dns-query" => ( (
      "host" => "127.0.1.2",
      "port" => 3000
    ) ) )
   
    $HTTP["remoteip"] != "127.0.0.1" {
      # Ensure the Pi-hole Block Page knows that this is not a blocked domain
      setenv.add-environment = ("fqdn" => "true")
   
      # Enable the SSL engine when using port 443
      $SERVER["socket"] == ":443" {
    	ssl.engine = "enable"
    	ssl.pemfile = "/root/certs/pi.hole.pem"
    	ssl.honor-cipher-order = "enable"
    	ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
      }
   
      # Redirect HTTP to HTTPS
      $HTTP["scheme"] == "http" {
    	$HTTP["host"] =~ ".*" {
    	  url.redirect = (".*" => "https://%0$0")
    	}
      }
    }
   

Now, DoH queries don't show up as localhost but as doh-proxy.hole.

The thinking was that if I could do this on-demand, in software, for every client coming in to DoH, that I'd be able to classify requests properly.
Connection -> read client hostname -> create /etc/hosts entry -> spin up new doh-proxy process configured for that client name -> some sort of teardown/cleanup logic for unused ones

It looks like the theory's sound, but it would require nontrival logic to be written somewhere.

And, for some reason FIREFOX connections immediately die with "cannot look up DNS" when attempting to connect; once unbound has finished finding the answer, you can refresh and it works.
Brave/Chrome work normally. I suspect this means that, after adding this new IP and name, the DoH pipeline returns immediately with no answer if unbound doesn't have an answer, rather than waiting.
I have not been able to find any logs to shed light on the situation.

For now, my DoH setup is still not really viable... I still need a feasible, reliable way to identify requesting clients.