As you must have determined, the update.rdf add-ins for WebExtensions should be served via HTTPS, not HTTP. The URL of the update.rdf file must be https. The documentation for the update_url property is not explicitly specified in the manifest.json applications file :
update_url is a link to the manifest for updating add-ons . Please note that the link must begin with "https". This key is intended for managing updates updates independently (i.e. Not through AMO).
You cannot use the alternative security method available for other types of add-ons to provide updateKey (and signing update.rdf) in the install.rdf file that came with the extension.
Additional SDK-based extensions and other types of add-ons not related to WebExtensions will still be able to receive their update.rdf via HTTP in the same way they did.
If your problem translates an add-in from an add-on based on the SDK as an add-on based on WebExtensions, you will need to have an update for this extension that changes the URL from which the updates are being serviced. It can be in any version before switching to WebExtensions or at the same time. In any case, this is just a new version of the add-in (specified using update.rdf, transmitted via HTTP and signed accordingly). This new version will have update_url (WebExtensions) or updateURL (all other types), where the URL uses the HTTPS scheme. Then, all subsequent update.rdf files will be served via HTTPS.