How do I do I obtain the TLS Finished struct in an iRule?

You can use this:

when CLIENT_ACCEPTED {        
    TCP::collect
    set default_pool [LB::server pool]
}
when CLIENT_DATA {
     Store TCP Payload up to 2^14 + 5 bytes (Handshake length is up to 2^14)
    set payload [TCP::payload 16389]

     If valid TLS 1.X CLIENT_HELLO handshake packet
    if { [binary scan $payload cH4x2c tls_record_content_type tls_version tls_handshake_action] == 3 && \
        ($tls_record_content_type == 22) && \
        ([string match {030[1-3]} $tls_version])} { 
            switch $tls_handshake_action {
                1 - 12 - 16 {
                     Valid Handshake message collect until Finished
                    TCP::release
                    TCP::collect
                    return
                }
                20 {
                    binary scan $payload H* MESSAGE
                    log local0. "Finished Message : MESSAGE"
                    TCP::release
                    return
                }
                default {
                    log local0. "unknown Message ID $tls_handshake_action"
                    TCP::release
                    return
                }
            }
    }
    TCP::release
}

Not quite sure if this helps or not, but its a start,

https://devcentral.f5.com/questions/irule-event-order-https-ssl-client-server-side

https://devcentral.f5.com/wiki/iRules.SSL.ashx

https://devcentral.f5.com/articles/irules-101-17-mapping-protocol-fields-with-the-binary-scan-command