SNI based routing in envoy

Question

I am working on a use case to do SNI based routing in envoy without doing TLS termination

Scenario: Customer makes a HTTPS request for domain name dd-server_name-zion-zorfy.com

I need to extract the domain name using SNI and forward the request to the upstream with DNS name wd-server_name-zion-zorfy.com

The server_name is dynamic in nature and can have different values. Basically, I need to replace dd prefix in the host name with wd and route the request to this destination without doing the TLS termination in envoy.

I have the below envoy configuration and when I make a HTTPS request, I am getting connection timeout error

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 9002
    listener_filters:
    - name: envoy.filters.listener.tls_inspector
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
    filter_chains:
    - filters:
      - name: envoy.filters.network.sni_dynamic_forward_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.sni_dynamic_forward_proxy.v3.FilterConfig
          port_value: 443
          dns_cache_config:
            name: dynamic_forward_proxy_cache_config
            dns_lookup_family: V4_ONLY
            - name: envoy.filters.http.lua
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
              inline_code: |
                function envoy_on_request(request_handle)
                  host = string.match(request_handle:headers():get("host"), "dd%-(.*)")
                  target = "wd-" .. host
                  REQUESTED_SERVER_NAME = target
                end
      - name: envoy.tcp_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          stat_prefix: tcp
          cluster: dynamic_forward_proxy_cluster
          tunneling_config:
            hostname: "%REQUESTED_SERVER_NAME%:443"
  clusters:
  - name: dynamic_forward_proxy_cluster
    lb_policy: CLUSTER_PROVIDED
    cluster_type:
      name: envoy.clusters.dynamic_forward_proxy
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig
        dns_cache_config:
          name: dynamic_forward_proxy_cache_config
          dns_lookup_family: V4_ONLY

Can someone help me what changes I need to make in the envoy configuration to get this working. Is this even doable?