OP is stating that "apps and devices" may circumvent DNS blocking by resorting to DoH. You can run your own DoH server, and you can even advertise it via your DHCP server, but clients ("apps and devices") do not need to accept the supplied servers for their own configuration.
They don't even have to be hardcoded, they just have to ignore anything you specify or not give you any option to specify your own. As long as a device manufacturer can push updates to your device (even by IP address) they can regularly update their chosen DNS servers when needed. Honestly though, for many devices I doubt they'd even bother. Companies seem to have little trouble taking the position that if your device is more than a few years old you're insane for expecting them to still support it and you should have already thrown it away and bought another one.
How do your force applications to use this server? I mean, even if you MITM the connection to the application’s preferred DoH server, the application probably checks the certificate of the DoH server and refuses to work at all if it can’t get a verified connection.
You don’t mitm the DoH, you substitute it with your own server.
I have yet to see DNS/DoH “pinning”, and apps (browsers) will let your override it. Embedding DNS entries in apps is a bad idea (as opposed to cert pinning, which is about fixed trust, and a good idea).
Given that sometimes this is going to be blocked, even if they did it would fall to the host resolver.