Set up SSH access to the host sshd, either manually starting it or by removing the read-only protection on the rootfs. See this gist on how to do it manually which is the safest and least intrusive option. https://gist.github.com/espoelstra/c910a8f5de6ba16d09fdb2014a5d843c
Once you've gotten ssh access to the chronos user's shell you can setup an SSH config that allows forwarding of your SSH key to the next host, in this case the jump server or bastion host.
https://gist.github.com/mtds/dc1e3df84e84318b3713cce26dd54f24#socks-proxy
It actually turns out you don't even need to do all the local setup (unless you want to use a persistent ControlMaster as the Chronos user instead of leaving a Secure Shell window open).
If you connect directly to the jump server using -ND 1080 as the SSH Arguments the port is automatically configured as a SOCKS5 proxy. This does leave the Secure Shell window open, but with luck maybe they'll add a "map port/proxy" option like they did for SFTP mount/SFTP.
This also works with --ssh-agent=gsc so you can use your Yubikey or other smartcard to connect and as long as it is plugged in your connection will stay up.
If you don't want to mess with the host sshd or you aren't in Developer Mode you can try doing it this simpler way, but it requires Crostini and that you have the VM running any time you want to connect to the resources that require the proxy. https://www.reddit.com/r/Crostini/comments/dhfdyc/how_to_create_an_ssh_socks_proxy_via_crostini/f3tyq9t?utm_source=share&utm_medium=web2x&context=3