All the redirects need to happen in a second proxy layer (in this case, the frontend redirects listening on 127.0.0.1:8081 - so make sure that port is free or use a different one). This also requires another backend, which is needsredirect here that is needed to divert the traffic to the new frontend.
The original frontend http-in must not contain any redirect rules (just the HSTS settings) and must make sure that request that still need to be redirected go through backend needsredirect to frontend redirects.
It should look like this then (untested):
frontend http-in
bind *:80
bind *:443 ssl crt /certs/example.net.pem alpn h2,http/1.1
# default headers
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response set-header X-XSS-Protection "1; mode=block"
http-response set-header X-Content-Type-Options "nosniff"
# route subdomains to backends
acl is_main hdr(host) -i example.net
acl is_www hdr(host) -i www.example.net
use_backend needsredirect if !{ ssl_fc }
use_backend needsredirect if is_main
use_backend www if is_www
backend needsredirect
server localredirects 127.0.0.1:8081
frontend redirects
bind 127.0.0.1:8081
# redirect non-www to www
acl has_www hdr_beg(host) -i www.
http-request redirect prefix https://www.%[hdr(host)] code 301 if !{ has_www }
# redirect all HTTP traffic to HTTPS
http-request redirect scheme https code 301 if !{ ssl_fc }
backend www
server main main:9200 check