HOLY MOLEY. I think I've done it. Given the amount of docs on this, I wouldn't be surprised to hear I'm basically the only person on the planet who's got this working!
The crucial bit I'd missed is that even though the GCE ingress terminates SSL, it will - for HTTP/2 only - re-encrypt the connection to your backend. Your backend service therefore needs to be able to talk SSL. Any old cert will do - I generated some self-signed ones.
The thing that took me a day to figure out is that a bad SSL handshake just looks like a network connection failure to the load balancer, so I spent ages doing network debugging.
What. A. Palaver.