The documentation currently suggests adding the line
RequestHeader set X-Forwarded-Proto "https"
to the default VirtualHost for HTTP. Unless I’m missing something big, that is insufficient, and that header needs to be added to all HTTPS requests that are proxied to checkmk, not only HTTP requests that are rewritten. Particularly since I set HSTS headers, there aren’t many of the latter.
I caught that after following the instructions without too much thought until after looking into the failure in WATO Analyze configuration where it warns me about Secure GUI (HTTP).