Making sure that not other certificates are used is already a feature in SSH protocol. As far as I understand, WinSCP already allows the check of the certificate hash for the SSL/TLS but, unfortunately, only if the route through the Windows store fails, allowing the attackers to misuse any of the trusted CAs for the MITM attack. Trusting other CAs is not a good approach for anybody who maintains his own server and the clients, and it's not paranoia but really an issue, see the list of the known public failures:
Comodo, October 2016
GlobalSign, October 2016
National Informatics Centre of India, July 2014
ANSSI, December 2013
Mozilla's reaction to the problem trend, February 2013
Trustwave, February 2012
Türktrust, August 2011 — January 2013
DigiNotar, June–September 2011Comodo, March 2011
Google, to solve the problems actually seen, for HTTPS and first for their own servers and the client (Chrome) also introduced the concept of the "certificate pinning":
However even without inventing the new modes of "pinning" for which the servers would have to be enhanced you can allow the users of WinSCP to control which certificates and authorities they want to trust in WinSCP using the code that you already wrote!
It's just a few new ifs and adding the interface (in the case you accept the first "checkbox" proposal).
Thank you once again in considering that possibility.[/b]