My goal is to be able to capture the content of the request, not only the metadata (source & dest IP:port, DNS resolution).

If I understand correctly, this happens at IP level, so it should be possible to intercept TLS handshake and provide a MITM TLS proxy in between.
When TLS is detected, the MITM would capture the TLS key negotiation, swap with its own CA's provided key negotation, then decrypt and encrypt the communication on each side. There are go modules (like mitm-go) doing this, although I don't know if it would apply here.

This would allow a finer granularity to the agent's allow/deny rules (like allowing GET from github.com/some_repo but not POST or deny GET to github.com/* except for repo X and so on).

Also, what prevent an agent to start using DoH or DoT to escape the proxying rules currently? I guess the tool is tracking the getaddrinfo calls (and /or DNS query) per connection and report those to figure the domain name it's displaying. But as soon as the agent uses TLS for DNS, you can't do that, right?

Imagine the agent is querying legitimatewebsite.com, that you'll allow.
Then it can query evildomain.com via DoH or DoT, that'll, in turn, answer with some CDN IP (that's hosting both legitimatewebsite.com and evildomain.com) and you'll list it as legitimatewebsite.com, right?