First off, very much appreciate you digging into the libbeat code! 
However, this is actually not how it works. When the HTTP client is created it takes a "regular" TCP dialer but also a TLS dialer. That way, depending on the protocol (HTTP vs. HTTPS), it can use the appropriate dialer. You can see the TLS dialer object being constructed a few lines earlier, with the appropriate settings from the user-specified configuration.
Nothing in your Filebeat configuration, particularly the output.elasticsearch section, jumps out as unusual to me. You shouldn't even need to specify ssl.enabled: true and ssl.verification_mode: full as those are the default values since your URL in the hosts setting is using the https protocol. Nevertheless, specifying them explicitly should do no harm either.
Unfortunately I'm far from an expert on k8s so I don't have any intelligent thoughts to offer about that configuration. I'm assuming you have it correct 
.
Given your thorough analysis, you've probably checked this already but I'd be remiss not to ask: have you tried the curl from the Filebeat ec2 instance to https://es.domain.tld:443?