It's not perfect, but I find blocking all traffic in/out to global dns servers with pfBlockerNG to be an okay way to limit the DoH bypass of simple port 53 blocking. There are still ways around it, but it has caught a lot of other interesting traffic (snmp, ntp, etc.) leaving my network and that a simple port 53 block misses.

This is the list I use: https://public-dns.info/nameservers-all.txt