Good point. Although I think the design was chosen because of the complexity of infrastructure behind your TLS server. Adding more things for the client to do so that you don't need to trust any intermediaries inside AWS data centers. (I'm not complaining, just an observation from my POV).
(For the record in BeyondCorp all backend components are mutually authenticated but they still use sessions and U2F tokens so there are no trusted points).
(For the record in BeyondCorp all backend components are mutually authenticated but they still use sessions and U2F tokens so there are no trusted points).