Oh sorry about that 
I guess you have already seen my “template” regarding a zonebased approach for 1.5-rolling?
Note that the above isnt complete (IPv6 stuff is missing and defaults for input/output filter should be changed from “accept” to “drop”).
Since your adguard container runs locally on the VyOS I think its the input/output filters you will have to act on (and not the forward filter).
Note that for DNS you have to allow both UDP53 and TCP53 in the input filter (stuff that cannot fit in a single UDP-packet, normally max 1280 bytes (smallest allowable MTU for IPv6) will switch to use TCP instead - not uncommon when DNSSEC and other is being used) for your adguard to work properly.
And then in the output filter basically the same thing so the adguard container can perform the resolving towards authortive servers.