We've finished upgrading our edge stack to TLS 1.3 only and enabled HTTP/2 across all sites. Latency and security both improved.
Cipher suites in use: TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256. We disabled TLS 1.2 and below at the Nginx level and verified that all clients we care about support 1.3. HTTP/2 gives us multiplexing and header compression without changing application code.
Next steps: we're keeping an eye on session resumption and OCSP stapling so we don't add extra round-trips. So far, no issues.