Block Egress HTTPS to Domain for Labeled Pods

Is there a way to block/blackhole egress HTTPS requests to a specific wildcarded domain for pods using a labelSelector? I was trying to use an HTTP_FILTER lua envoyfilter, but that doesn’t work with HTTPS/SNI.

An example is that I want application code in specific pods not to be able to reach to, while all other pods should be able to.