Yes, if the browser setups a SSL connection for example.org, the SNI value will have example.org. But if the certificate also covers www.example.org the browser can request that in the same SSL session. But SNI is only exchanged at the beginning, in the client_hello, there is no SNI afterwards.
So you can end up with a HTTP transaction where the SNI is example.org and the Host header is www.example.org - in this case, only the Host header is relevant and correct for what you need to know (you want to know what the browser intends to request, not what the initial SNI value was).
Which is why you should always use HTTP headers. Only use SNI if you cannot actually get to the HTTP header (like when you are passing TLS through without decryption).