In cases where a layer 3 or 4 load balancer is between clients and the ProxySG appliance, (where the load-balancer NATs the client IP address), how can I write policy to identify and affect specific client IP addresses or subnets?

Using the standard client IP or subnet objects in the vpm will not work, as the proxy will only evaluate this on the true L3 ip address in the packet.

But if the load balancer is able to insert the http header, X-Forwarded-For,  then you can configure policy to look for this header and use it as though it were the source IP address of the request. An example of this policy, where bluecoat.com is the destination, is below:

Add these lines in local policy (Configuration -> Policy -> Policy Files -> Install Local File from "Text Editor", and add the lines to the end):

<proxy>

request.header.X-Forwarded-For.address=10.1.198.20  url.domain=bluecoat.com  allow

....and in this example, you allow a client subnet:

<proxy>

request.header.X-Forwarded-For.address=10.1.198.0/24  url.domain=bluecoat.com  allow

 See your load balancer's documentation to determine how to add an X-Forwarded-for header to capture the client IP address and subnet information as traffic traverses the load balancer.