The level at which the forwarding layer is evaluated during the interception of the SSL traffic is the problem.
If you look at a policy trace the forwarding layer is seen to be evaluated at both the TCP and HTTPS stage of interception,
not at the SSL stage. This is key.
In SGOS 6.3.x the policy evaluation at this stage has been changed to include the forwarding layer, so the reflect IP rule is matched at the right time to initiate the TCP connection upstream with the IP address referenced in policy.