I need to access AWS IoT Core over MQTT/TLS (and not Websockets, since I need to use X509 certificates for authentication) using a forward proxy that can establish tunnels using HTTP CONNECT.

Per our internal discussions this is definitely a feature we need to add, but based on the description here (x509 auth required + proxy), would using the x509 credentials provider (via proxy) followed by websockets (via proxy) be a viable alternative in the meantime?

Using websocket is not an alternative, because the IoT authorization does not use the IoT access policies attached to the certificate and uses the IAM policies attached to the Role Alias obtained via the credential provider instead.

This has been added in release v0.7.3