When NAT gets involved things get very complicated very quickly for that. For many networks and ISPs this would need to happen at the IP egress level and couldn’t happen on the end device, since the end device doesn’t even know its own IP and neither does the on-prem router.

Thank you. It's the best argument against the certificate suggestion I have read so far. It's a problem I overlooked.

Edit: If the server creates the certificate with a three way handshake, it will use the remote IP address. So the client doesn't have to know it's IP address

How is that no prior configuration on the client side?

Clients could use the same certificate for every server, so there is only a one-time setup. Analogous to how clients need to be "configured" with an IP address, the certificate could be given to them by their internet gateway if desired.

Yeah, and in what universe could that work? I need directions.

Seems far simpler to send a physical mail to the service operator who then hardcodes the IP in the server.

Or, maybe do a handshake once and cache it for X amounts of time whatever makes sense for that service.