I don't see how DoH can be filtered at the firewall at request-level, since it looks like regular HTTPS traffic. Of course, MITMing HTTPS and then blocking particular DoH reqs and letting rest through would work, but apps that pin certificates might make MITMing an uncomfortable ordeal.

Blocking a DoH provider altogether might not be feasible.