Thanks for your response PiBa.
I've made some good progress on this and think I have a working solution. I've found a working ACL combination:
0_1528222388862_workingACLs.jpg
That is, when all backends are down, I get a match on the kdemo_dead ACL that says "!minCountUsableServers ge 1" and haproxy uses the tpc-request connection reject as desired.
Interestingly, at first when I initially had SSL offload enabled for the frontend, I had a lot of errors when the package attempted to create the haproxy.cfg, and when I finally got past that I no longer got the desired behavior: despite the ACLs, haproxy still initiated a TCP connection and returned a 503. I really don't know what's changed,: perhaps it was because I had some of the boxes checked that created additional ACLs?
It seems the haproxy package is dynamically generating a haproxy.cfg when I apply UI changes and sometimes the content and sequence of entries causes unintended consequences.
At any rate, seems to be working now, so I'm happy:)