It sounds like you've panicked a bit too much about DoH's security risks. The kinds of problems you could see with DoH connections could also be seen by a user connecting directly to an IP address or using whatever open ports you have to run a VPN or connect through Tor. Either of those would bypass internal DNS controls and would probably flag as risks in your network analysis logs anyway. Since the use of any of those things would be violations of a security policy, you might as well tell people they must use a certain set of configurations that disallow DoH, and using DoH will be a violation of security policy. Wouldn't that pretty much solve that problem?