Hi @strand, welcome to the community and to OpenZiti!
Would you mind explaining exactly what you're trying to do just 'overall'? OpenZiti has some different paradigms available and it can lead to different setups than "regular IP networking". Everyone starts with that knowledge of IP though. It can help me and others give you a better answer if you can describe what the overall solution is... I'll still see if I can give you answers to your questions though...
When you say "shows different origins", can I assume you mean via tcpdump on the remote ssh server? It kind of sounds to me like you might have allowed "all" identities bind the particular ssh service? If that's the case, OpenZiti round-robins traffic to the "termination point". This is the identity the traffic should be sent to on the overlay network, and then 'processed' in some way at that remote node. When using a tunneling app, and offloading the traffic from the overlay back to the underlay (like in this case for ssh), the traffic is 'processed' by effectively being forwarded on to the final destination on the underlay (ip) network. It sounds like more than one device is able to do that forwarding, and it sounds like the traffic is then coming from a random node in the destination network? Without having a great overview, that'd be my guess there...
You mean you haven't gotten it working yet, right? 
not that it "doesn't work"??? Again, the overall idea would help me answer better here but here's what it sounds like you're trying to do. It sounds like you're trying to have say 3 (three) machines in the remote network. I'd like to assume that these three machines are named:
- host1.my.domain
- host2.my.domain
- host3.my.domain
If that's the case, you would want to use a feature of the tunnelers where we can grab the intercepted domain name, and simply "send it to the far side", where it is effectively placed back onto the underlay at the domain name that was intercepted. It seems like that's what you want to do?
Assuming that's the case, that sounds a lot like the post we had recently where a user was trying to access a bunch of prometheus scrape targets, similarly to how you're using it for ssh. That thread is here: Reduce number of Service Policies for Monitoring
For that thread, I made a video that shows you how to use the $dst_hostname variables to accomplish what you're trying to do. It demonstrates the concept using prometheus but I think it'll show you the ideas needed properly... If not, correct my understanding and we'll go from there
You can see the ziti CLI commands I used out at GitHub - dovholuknf/hello-prometheus
I'm sure we'll get you sorted. If you have a request for more/different doc or a different more targetted video let me know. I'll see if I can make one. You also might be interested in zssh too... Perhaps: GitHub - openziti-test-kitchen/zssh: Ziti SSH