TLS cipher suites use SHA256 as the hash when using AES_128_GCM and CHACHA20_POLY1305, but SHA384 when using AES_256_GCM.
The TLS Cipher Suite Registry contains no cipher suites that use AES_256_GCM_SHA256 instead of AES_256_GCM_SHA384.
According to RFC 8446, this hash is "to be used with both the key derivation function and handshake message authentication code".
What could be the motivation for using SHA384 over SHA256 as the HMAC-Hash for HKDF when establishing an AES_256_GCM key?
Let assume that someone built a Cryptographic Quantum Computer (CQC) that specially can run Grover's algorithm. Grover's algorithm is asymptotically optimal that is one needs $\mathcal{O}(\sqrt{n})$-time for the $n$ bit security for pre-image attack or key search. That is one have 128-bit security from from 256-bit key space. This is the advertisement of the Grover' algorithm yes it has $\mathcal{O}(\log{n})$-space, however, this is not enough.
What generally missing is the $\mathcal{O}(\sqrt{n})$ call of the Grover's algorithm, consider that you want to break 128-bit then you need to run the Grover's algorithm $2^{64}$-time. If we assume that you can execute one Grover's algorithm in a machine in one nono seconds then you need $\approx 585$ years to find the key. This is quite optimistic in the sense that one can prepare a QCQ in one nano second.
Grover's Algorithm, like classical algorithm can be parallelized, too. Well, interestingly, for $k$ parallel Grover we don't have quadratic increase, we have $\sqrt{k}$ speed up. This doesn't scale up well.
This is all about the Grover's, now there is another work from Brassard et al. for hash functions for collision finding, has $\mathcal{O}(\sqrt[3]{2^{256}})$-time and $\approx \mathcal{O}(2^{85})$-space. That has still in the asymptotically optimal and this time we have 128-bit security from 384-bit hash function with $2^{128}$-space requirements.
With these we can argue that even 256-bit hash functions and even 128-bit block cipher are safe fro CQC. A more realistic calculation made from
Keeping the detail to the article, let stick the NIST and assume that we need $384$-bit hash function against CQC to have 128-bit collision resistance, the pre-image resistance is $192$-bit .
If we use 256-bit HKDF it will have 128-bit CQC pre-image resistance. This means that the 256-bit hash will enough.
Since TLS 1.3 simplified almost everything;
The Hash function used by Transcript-Hash and HKDF is the cipher suite hash algorithm.
The meaningful explanation is SHA-384 is chosen to have 128-bit collision resistance that fits 128-bit resistance of the AES-256. In a simplified manner one can say that AES_256_GCM_SHA384 has 128-bit security against Quantum adversaries.
