It seems that tenant restrictions is meant for a single tenant environment. That is, all users are authenticating against a single tenant. In this case, your users should authenticate always to prod tenant, even when using dev and test tenant's services. I don't think this would work in your scenario.
However, as the proxy is intercepting the traffic anyways, you may inspect the request and try to identify which tenant users are trying to access. The login username would be a good candidate for that. Based on that, you could give a correct tenant ID for the Restrict-Access-Context.
Afaik, it does support multiple tenants. However, that feature is available only in the "global", multi-tenant O365 instance, I'm almost 100% sure that the DE instance does not have it. So best check with the support team.