No those are sufficiently different that i wouldn't expect a problem. Somehow the SNI selection is either failing, or the cert the controller is presenting is invalid.
I would check using something like:
openssl s_client -connect ec2-52-201-240-80.compute-1.amazonaws.com:1280 | openssl x509 -text | grep Alternative -A2
If you run that (that's my controller) you'll see the Subject Alternative Names returned:
$ openssl s_client -connect ec2-52-201-240-80.compute-1.amazonaws.com:1280 | openssl x509 -text | grep Alternative -A2
depth=1 CN = ziti-controller-web-intermediate
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ziti-controller-web-identity
verify return:1
X509v3 Subject Alternative Name:
DNS:localhost, DNS:ziti-controller, DNS:ziti-controller-client, DNS:ziti-controller-client.ziti, DNS:ziti-controller-client.ziti.svc, DNS:ziti-controller-client.ziti.svc.cluster.local, DNS:ec2-52-201-240-80.compute-1.amazonaws.com, DNS:ec2-52-201-240-80.compute-1.amazonaws.com, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Let's make sure the certs that are coming back are for the url you think you're connecting to? It's easy to screw up ports etc. I'll try to revise my HAProxy setup and see if I did anything differently. I assume you found that discourse post but if not you can scan Using a Single Port for OpenZiti Components to see if there's any hints in there.