A couple of things occur to me beyond your comments. As said, would be really useful to understand the goal and requirements more.
Myself, I am happy to jump on a quick call if it helps.
- The OpenZiti implementation of BYFE - Bring Your Favorite Engine - GitHub - openziti/tlsuv: TLS and HTTP(s) client library for libuv) - is crypto agile. So that could be a good place to start too. If allows for using OpenSSL for the hop-by-hop encryption. When I last looked it was v3.0, I am pretty sure 3.2 supports post-quantum cryptography (PQC) signature algorithms and key establishment mechanisms
- This was a different discourse conversation on BYOE - How adopted is the BYFE concept?
- I have spoken to people in the community who wanted to test Ziti with cryptosystem dilithium2+p-256... I don't know the status but could check in