Probably the only way you’re going to reliably access exotic user/group tables in confinement would be via a proxy like nscd (or an equivalent like unscd).
It looks like any of the interfaces that end up doing #include <abstractions/nameservice> should grant access to its socket. One such interface is network, which you might already be plugging.
I realise that using nscd can have some drawbacks, but it might be the best option here.