Got it. Make a named pipe on the remote host and ssh-pipe your data through that, no need for any sudoers tweaking.
$ ssh user@remote mkfifo data
$ ssh user@remote -tt '(cat data | sudo cat)'
[sudo] password for user:
That will hang waiting for data, so separately you do
$ sudo echo hello | ssh user@remote cat \>data
[sudo] password for jthill:
and you'll see on the first one:
Connection to remote closed.
The '(cat data | sudo cat)' avoids an annoying delay before sudo prompts for the password (because the redirect tells the shell to open the pipe before running sudo).