SGT had already told where client computer can go.

besides filtering malware and IPS function, which advanced firewalling capabilitiy can firewall further do that SGT can not do?

Assume computer infected virus and SGT restrict where it can go, where will this virus be? is it finally also need a firewall outside of border routers ?

SGTs only provide simple SGACL rules that match based on source and destination tag, where the "action" can be to filter based on an access contract(ACL/permit all/deny all). The magic thing about SGTs compared to a firewall is where the rules are enforced - at the edge node.

Let's say you have an IoT VN contianing all of your IoT devices. In said VN you have a set of robot vacuums that only should be able to communicate with a local server with MQTT and your server should only be allowed to communicate to the internet. You configure the SGACL for this VN to be default deny and permit only the required flows. If your robot vacuum provider is hacked and a malicious firmware version is published, the potential spread is limited to be between the vacuums. Without SGTs the potential spread/lateral movement would be to all other devices in your IoT VN.

If you were to implement the same level of security in a traditional network you would have to create a private VLAN for your vacuums, a vlan for your management server and implement policy on the gateway or have it routed through a firewall. With the number of different possibly poorly secured IoT devices the average enterprise has today this quickly becomes a nightmare to deploy and manage. Instead you can have your one large IoT VN where you implement microsegmentation with SGTs to limit east-west spread.

For you client computer example the same will apply. You can also do more advanced things like assigning different SGTs based on ISE policy/profiling, or quarantining clients based on Cisco Secure Endpoint(AMP) events.