Part of the Furniture
I think Cloudflare would be an outlier because at least for me, https://cloudflare-dns.com/ doesn’t resolve to 220.127.116.11 or 18.104.22.168. The other big providers are more predictable for IP-based blocking.I did think about suggesting that but he did say he wanted to block all clients. In which case he'd have to block all possible DoH servers that may be used now and in the future - and hope that they don't share the same IP address as a web site they need to access.
EDIT: Actually, you are correct. If you were to block on IP address and port number (rather than just IP address) that could work. So "all" you need to do is create a block list of every DoH server in the world and keep it up to date. That sounds like a task more suited to Skynet.
Maybe a combination of hosts-based blocking of the DoH URL hostname during bootstrapping and IP based blocking of IP:443.