Blocking DoH at the router is almost impossible because it looks exactly the same as other HTTPS traffic.

The only option is to do a man in the middle like some business firewalls (eg zscaler) do.

I don't like DoH much either because apps can use it to bypass my local pihole. But blocking it is hard when an app hardcodes its own DoH server.

DoH is really a solution for a US problem that we in Europe don't have. Here it's illegal for ISPs to use deep packet inspection to datamine their customers.