I realized that I did the following error: Contrary to what I said, tECDSA signed stuff needs to contain the hash of the entire message, to avoid a malevolent replica to substitute another body.
But the above is no more important, because I am removing tECDSA support (it was estimated as a few USD cents).
A much less expensive way is, if the proxy sends an update call back to the canister that requested a HTTPS outcall with the hash of the outcall before delivering the request further. This request can be used by our canister to determine if it asked for this outcall or no.