Since you already support checking for HPKP, how about OCSP must-staple?

https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/