Well, yes. If the VPN is run on a different server than the Pi-hole, this wouldn't work so I'm a bit worried to may create too high expectations. I'm thinking about if this is a good option or not.
We could make the option accept
ICLOUD_PR=block(default)ICLOUD_PR=allowICLOUD_PR=eth0,wlan0(comma-separated interface name list)
Performance-wise this wouldn't have much of an impact because we could iterate the interface list only if the query is one of the two domains above.
Also: You'd likely want to enable it on eth0. Does disabling it over wg0 make any difference? If so, this also rather looks like an Apple bug IMO.
I'd like some feedback from the others involved in here about this.