I figured out two methods to accomplish this task;
command in .authorized_keys
~/.ssh/authorized_keys you add the following before a specific key
|command="/usr/local/bin/shell-wrapper" ssh-rsa AAAAB3NzaC1yc2...JZK1E8H60=|
And because registering and installing a new certificate for each and every new app we create is a real pain in the ass, we registered a wildcard certificate and are hosting all the apps on subdomains.
That worked well, but we still had to request a new IP address for every app, because the lack of SNI in all versions of Internet Explorer on Windows XP.