The whole header is encrypted, including the Host header and request line. Certificate selection and routing relies on SNI[1]. The server name in the TLS client hello message is almost always, but not necessarily, a copy of the value of the Host header field.
[1]: https://en.m.wikipedia.org/wiki/Server_Name_Indication