This post ended up having the answer: Double encoding on UUIDs. Apparently the correct approach is to double URL encode the session ID. I’m not sure why, since a single encoding should be more than sufficient.
var safeSessionId = sessionId.Contains('/') ? HttpUtility.UrlEncode(HttpUtility.UrlEncode(sessionId)) : sessionId;
Worked for me though. The documentation could use updating to note both the URL encoding, and the fact that it is needed whenever a “/” is present in the session ID