My understanding is that "negotiating a TLS session" requires the server sending the certificate for the hostname you're connecting to, so that the client can encrypt a secret that only the server can decrypt.

A better solution than SNI would be for HTTPS connections to use SRV records in DNS instead of only A and AAAA records, but that ship has sailed. :/