Dynamic Hostname when using SSH Proxy with ProxyCommand

I am trying to configure an SSH connection through a proxy server such that

Host bridge-test
  HostName TARGETHOST
  ProxyCommand ssh -W BRIDGEHOST %h:%p

however, my problem is that I do not know a priori what TARGETHOST is. This information can only be accessed by executing a command on the BRIDGEHOST (which is static). Is there any way to configure SSH to pick up the TARGETHOST as a variable from the proxy server?

It is possible with a bit inline magic

Match originalhost bridge-test exec "ssh BRIDGEHOST 'cat host.txt' > /tmp/host.txt; true"
  hostname dummy
  ProxyCommand ssh BRIDGEHOST -W $(cat /tmp/host.txt):%p

How it works?

1. The match exec expression is used only to connect to BRIDGEHOST and get there the hostname dynamically (I used a simple cat host.txt as example)
2. Save the hostname to a local file /tmp/host.txt
3. Finish the match command with true, then the match exec will always match
4. Use the hostname from /tmp/host.txt in the ProxyCommand

But the obvious variant fails (ssh version dependent)

I would expect that it could be simplified to

HOST bridge-test
  hostname dummy
  ProxyCommand ssh BRIDGEHOST -W $(ssh BRIDGEHOST 'cat host.txt'):%p

But this variant fails with:

Bad packet length 1231976033.
ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: message authentication code incorrect

I've tested many simplified variants, but as soon as I call ssh somewhere this leads to an error.
Tested with:

$ ssh -V
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022

Edit 2024-09-05:
Retested today with OpenSSH_9.0p1 and it works with nested ssh, too