DNS-OVER-TLS and VPN DNS Servers

[Rombo]

I am trying to understand DNS-OVER-TLS and my NORDVPN setup. How do I get my devices using VPN to always use my VPN DNS Servers and the devices using WAN access to the Internet using the DNS-over-TLS servers? I am using RT-AC86U_386.1_Beta4 of Asus Merlin on an AC86U Asus modem direct connected to my ISP (no intervening router). I was doing this all using 384.19 with exactly the same result. Thought I would give the Beta4 version a try.

LAN -> No DNS servers defined
WAN ->
Forward Local domain queries ... NO
Enable DNS Rebind protection ... NO
Enable DNSSEC support ... NO
Prevent client auto DOH ... NO (tried yes and this really messed things up!)
DNS Privacy Protocol ... DNS-over-TLS (DoT)
DNS-over-TLS profile ... Strict
I have 3 DNS-over-TLS Servers in the List
VPN
I have NordVPN
Normal setup with these exceptions:
Accept DNS Configuration ... Exclusive
Create NAT on tunnel ... YES
Inbound Firewall ... Block
Force internet traffic through tunnel ... Policy Rules
Block routed Clients ... Yes
Custom NordVPN Configuration (normal except for the following)
dhcp-option DNS 103.86.96.100
dhcp-option DNS 103.86.99.100

Testing is done on a laptop assigned to VPN: 192.168.x.0/24

Doing DNS leak test on numerous websites and they always show I am using the DNS-over-TLS DNS Servers. I cannot get any dns leak test to show I am actually using my VPN service DNS Servers.

How do I get my devices using VPN to always use my VPN DNS Servers and the devices using WAN access to the Internet using the DNS-over-TLS servers?