Back again, @Luiggi!
I tried the following:
- Changing
proxy_set_header Hostfrom$hostto$proxy_host, so thatmetabase1.internaldomain.comis passed as host to Metabase instead ofmetabase.publicdomain.com. It did not work.
- Added
-Djetty.ssl.sniHostCheck=falsetoJAVA_OPTS. It did not work either. Browsed the Internet and I am unsure why it did not work, to be honest. Tricky...
My intutition kept pointing at how NGINX is passing the request to upstream, to the proxied server, i.e. Jetty, so I kept digging until I found the solution. On the server block on NGINX I added/modified these directives:
proxy_set_header Host "metabase1.internaldomain.com";
proxy_ssl_server_name on; # Default is 'off'
And it worked! 
It's a pity I could not use NGINX's variable $proxy_host in the proxy_set_header Host directive, as it includes both the "name and port of a proxied server as specified in the proxy_pass directive". Fortunately, no need to explicitly set proxy_ssl_name as this one is set by default to the host part of $proxy_host, i.e. metabase1.internaldomain.com.
Fortunately, the server block is templated via Ansible, so I can just define those values easily upon deploy.
Final though is that the Jetty parameter jetty.ssl.sniHostCheck should have worked, but it didn't. If you are proficient in the world of Java, which I am not, it would be nice to check the code in Jetty's repo. Maybe there is a bug there. You know, a typo, a wrong condition, or similar.
Thanks a lot for your insightful feedback and your help, Luiggi. Very much appreciated. And I hope this thread helps anyone with the same setup as they upgrade from 0.45.X to 0.46.