For more information on the HTTPS queries take a look at About DNS Resource Record type 65 (SVCB HTTPS)
To protect against DoT and DoH bypass we currently rely on DTTS which blocks all unknown IP connections.
You could create a rule to block destination UDP 853 from LAN to prevent DoT bypass. But for DoH you’d have to blacklist the popular services.
We have a shared blacklist for popular DoH providers here My Dashboard that you could subscribe to and enable on your policy.