...also, it appears that the hook script /etc/libvirt/hooks/daemon to be called when the libvirt daemon is started is actually called _before_ libvirt adds its own iptables rules, because I am not able to insert my custom rule at the top of the chain.

how about this daemon hook script?

#!/bin/bash
#
insert_rule() {
    sleep 2
    iptables -t nat -D CUSTOM_RULE
    iptables -t nat -I CUSTOM_RULE
}


case $2 in
    start|reload)
        insert_rule  >/dev/null 2>&1 &
        ;;
    *)
        :
        ;;
esac