I'm writing a client to retrieve data from a server (not under my control) via https and that works fine.
What I want to do is make it so my request to the server cannot be sniffed by someone on the client's computer using Fiddler, etc. So is there any way to make the headers/url encrypted before they can be intercepted by Fiddler?
My understanding of Fiddler is that stands in between the client and the server by posing as a proxy. You are correct, it looks like Fiddler has the ability to intercept HTTPS transmissions.
But, per Fiddler's documentation the certificate that Fiddler presents will not be trusted by your C# application. The C# application will throw a exception saying that it could not verify trust with the remote server. And no data will be transmitted.
If you're really paranoid, you can do what is called "certificate pinning" where your C# application will look for a specific certificate from the HTTPS server to ensure that it is the exact server you're looking for. Though, if the certificate were ever to change, you'd need to update your application.
EDIT: Rereading the documentation, Fiddler does provide a way for the certificate it uses to be trusted by Windows (and any ensuing applications using those trusted stores like Chrome and .NET). If that is done, your C# application would more than likely operate like normal with your traffic being completely visible to Fiddler. If you are worried about this for some reason, I would take a look into certificate pinning.
