Turns out tls-unique is *additionally* broken by https://www.mitls.org/pages/attacks/SLOTH found a few months after the release of RFC7627 that tried to fix it:

> If your TLS application relies on the tls-unique channel binding to prevent credential forwarding, you need to redesign your application.
> Our attack on the tls-unique channel binding affects application-level protocols that rely on this channel binding to prevent credential forwarding attacks. In general, all uses of tls-unique are suspect, but the following are known to be specifically affected:
> * SCRAM is used in SASL and GSSAPI and relies on tls-unique for channel binding. SCRAM is the default authentication protocol for XMPP.