Using what was provided in OP, im gonna mitm with my router with a fake dns to see if I can figure out the requests being made.
EDIT:
Can confirm the SX OS doesnt do any requests at all. Atleast not on the Booter part.
Meaning, the "licence.dat" check when clicking Boot Custom Firmware, does a check based on the code somewhere in boot.dat.
With the tx_unpacker, this helps somebit, but still work to be done.
If we can figure out how the /?u=sign request on sx.xecuter.com works, we could figure out how to sign our own licence.dat's but it's pretty hard to do so as its serverside.
I guess we could also try spoof our Switch HWID which is conveniently mentioned in Licence tab in Album.
EDIT 2:
They call the HWID (Hardware-Identifier) as, Console Fingerprint. Its: [A-F0-9]{32} seemingly an SHA hash of something.