Thanks so much, Francis Daly! This is a huge help in isolating the problem.
Based on the nginx access log, IPv6 requests to port 443 are getting to nginx but IPv4 requests to port 443 are not. But they are getting to tcpdump. All I see there is a bunch of packets with the tcpflag [S]. I take it this means the handshake is not completing.
It was easy to confirm this by turning off IPv6 in my browser, at which point https stopped resolving for the site in the browser but I could see the packets coming in on tcpdump.
So presumably some sort of firewall on the local server machine--probably one I didn't configure or know about! I'll try to figure out how to find that blockage.
In any case, apparently not an nginx issue, as you rightly perceived.
Thanks again for the help!
Nathan