So, check-sni was the key. Alone, without sni. But I used it in a wrong way. check-sni should be followed by a simple DNS name, as in your example above, not str() or req.hdr() call. The working configuration is:
server 1.base.maps.ls.hereapi.com 1.base.maps.ls.hereapi.com:443 ssl verify none resolvers mydns check-sni 1.base.maps.ls.hereapi.com check
Thanks for your help, @lukastribus!