what we do know for sure is that the sni routing is working:
a) it works with the normal certificates
b) it works with the wildcard certificates if I clear the browser cache in between the trials
so it's like that the proxy server or the backend webservers are caching all three ssl session (to example.com, to a.example.com and to b.example.com) with the same *.example.com domain expressed in the wildcard certificate and this is creating conflict. I do not know how that's possible and can't find anything useful from nginx documentation
I found the culprit: on the backend servers side i had the listen directive configured with http2 (other than ssl and proxy_protocol) and as far as I can understand in my actual overeuphoric state of mind, http2 is not supported by the proxy_pass directive: deleting that now all works flawlessly, jesus f****** christ
thank you again @rg305 for your vicinity in this maelstrom of a troubleshooting