Yeah, this is a problem but not one without a solution (unless Android bundles in a built-in Firewall API that other apps could use [0]): RethinkDNS already supports chaning via SOCKS5, and it would also soon support connections to/from WireGuard endpoints: https://github.com/celzero/rethink-app/issues/52
And since RethinkDNS' underlying tunnel implementation is in Go, I'm fully expecting wireguard-go to fit in seamlessly.
This is how I enforce my private DNS on my Android devices. I just wireguard my Android devices up to a PiHole device. Works everywhere I take my Android devices, so I get all the benefits of my home network anywhere I go. :)