@staypath Continuing my conversation with myself 🙂
Posting this here in case anyone else comes across this with the same question: I found that configuring fail2ban to use systemd was the trick:
[sshd]
port = ssh
#logpath = %(sshd_log)s
#backend = %(sshd_backend)s
backend = systemd
enabled = true
maxretry = 1
bantime = 14d