This is a really interesting subject. Most large businesses will probably not be affected by this but parents wanting to protect children will be. And I'm not going down "but who will think of the children" histrionics of the ISPs etc who really want to monitor your usage for their own monetisation purposes.
There are a couple of main mechanisms for controlling Web access: during DNS resolution and after it. Simply: use the DNS service I say, and use my forward (outbound) web proxy.
The simplest and least loading is to force the use of specified DNS services: LAN devices get the right one or ones assigned by DHCP (usually the router itself or internal DNS) and the perimeter firewall blocks any outbound requests to TCP/53 and UDP/53, except from the DNS server. Now the only thing that your DNS service has to do is apply policies when resolving requests ... such mechanisms are employed by OpenDNS and SRM's Safe Access.
To stop LAN requests to DoH services could be to maintain a list of their IPs and then implement outbound firewall rules to block them. This is clunky and will at best block access to well known providers but I'm sure the list will grow. For SRM it's firewall doesn't allow rules to be applied to groups of IPs, so you'll have to have one rule per IP.
The only real way to block DoH from LAN requests is to deploy a web proxy that either has a well maintained list of known DoH IPs and URLs or SSL decryption capabilities. The latter will require local devices to install an intermediate certificate that allows the proxy to decrypt requests and then it will create the onward secure connection to the DoH server. This decryption would happen for all HTTPS traffic so banking etc would be inspected too. That's unless there is also the ability to define URL categories that don't get decrypted ... which is how this is done for business-grade (GDPR compliant) services.
Businesses can afford to use such mechanisms so DoH use can be controlled/blocked but home users are the real losers of control.
The only other ways I can see is to either use application-aware firewalls or offload this to your ISP since they control the connection from you to the Internet. The ISP could apply filtering to remove DoH but then most that are currently specifying their own DNS is because they don't want the ISP to do it.
Edit
Just thought that Threat Prevention could be used control this if it could have a filter for DoH.