Thanks for all the pointers.
@Henning, it seems kamailio will always use 'transport=ws' because the RFC for SIP URI's does not allow for wss (see: https://github.com/kamailio/kamailio/blob/master/src/core/ip_addr.c#L690)
@Olle We also re-use the existing client sockets, no need for outbound connections.
Actually, my initial problem description wasn't completely correct. Our Kamailio *does* correctly forward the SIP messages to the client, which receives them well. The problem lies in the `Record-Route` header that Kamailio adds. In that header, Kamailio inserts the wrong ip/port combination, as it's using a tcp socket where it should use the tls socket.
I think the underlying problem is here: https://github.com/kamailio/kamailio/blob/master/src/core/forward.c#L293. This method will receive `proto = PROTO_WS` as described by the transport in the sip uri, but doesn't know it's really a wss connection.