You said in Post #2, that it isn't possible..
It is..
If the client devices want internet access, they follow my rules (no VPNs and no DoH).. Internet traffic without DNS lookups, they get null-routed.
I have TikTok permanently blocked, sometimes YouTube.
The problem with blocking YouTube for students, is that some (many) teachers assign YouTube videos as instruction and/or homework.
And this is with MikroTik Router?
Post your config.
What, you want evidence? Hearsay and opinion are not enough!
My AP (Cisco Aironet) has a checkbox to disallow ‘randomized’ MACs.
PiHole blocks TikTok and YouTube (when desired).
RouterOS drops 1.1.1.1, 8.8.4.4, and 8.8.8.8 and individual clients as needed. Plus a few other well-known DoH servers.
I look at the PiHole logs manually, if a client isn’t making lookups, I manually add them to the firewall drop rules.
Evidens that some are done that I would say can not be down without control of the client.
Try this:
https://ultrasurf.us/
Its a simple exe file, that your run on your PC (or other), that makes a proxy for your browser. No need to admin rights.
Its made for passing the great wall of china.
And this is just one of many tools that can be used to bypass the most blockage.
puTTY.exe can do this too with an SSH server.
My network, I would notice both (no DNS lookups for the host), and then drop the host’s traffic.
So you block everything, not youtube selectively, and continue to be offtopic.
No one has posted a NON-invasive method on the client device, which selectively blocks youtube ONLY,
no matter if the user use VPN, private DoH (yes… PRIVATE…), ICMP tunnels, etc…
All empty talks…
Still valid post #2, that is the reply of this topic, not about change client device config or block everything if the user do not use that DNS, etc.
No.
I only block everything if the host continues to use DoH and/or VPN/Proxy services.
If a LAN IP has internet traffic but no local DNS lookups, they lose internet access.
What does non-invasive mean to you?
It’s invasive to block everything in retaliation because you are not able to just block youtube…
It is invasive to act on the customer’s device.
The customer must be able to do anything freely, except use youtube, and you must not touch the device config or install some software.
If you alter this premise in anything, is not anymore on topic.
It’s obvious if I break the client device, with that he doesn’t go on youtube anymore… (but not anywhere else either…)
How is this not on topic? That wasn’t a stated requirement in the OP.
Otherwise you are being dumb.. User is allowed whatever proxy and VPN they want, but still ‘required’ to block YouTube? No solution can do that unless internet access overall is white-listed.
My network, my rules. If the user wants internet access, they are not allowed to use VPN/Proxy or DoH. They use those, they lose network access. User can do it themselves or they can ask for help with the settings if they need.
Post #2…
Too bad we are not close, otherwise I would show you how easy it is to get around this thing…
Of course, if you know I’m there and you purposely watch what I do…
But try to catch me with hundreds of other people surfing on the same network…
As long as you don’t blacklist EVERYTHING and only allow certain IPs/sites, there is always a way around the blocks.
There is always a way to skin the cat so to speak 
Everything can be gotten around with time and effort.. My primary method is to remove users with traffic that do not have DNS lookups, which would work for the OP and majority of users.
Blocking YouTube for students, is not a good idea because teachers assign/use YouTube for lessons, but it can be done. I will have TikTok blocked for the foreseeable future though.
Even that can be gotten around, speaking from experience.. haha Time and effort.. 
Haha, really showing your age, family members will use cell data to watch tik tok as the main vector is smartphone… Get with the times Kev! 
By the way tik tok also makes large balloons!
They tried that when I blocked YouTube…
I turned off their cellular data in response..
Well, the outcome will be quite simple, they will either
a. spend less and less time at your place ( the dungeon) and more and more time at other peoples houses. :-0
b. will become software and wifi engineers and devise work arounds ( heck a wireless wire cube setup in the right location would allow them to beam and bypass your entire setup LOL )
I will encourage both options.. Especially “b”. 
Already have a longer-term goal of talking to the ISS as it passes over..
Likely less effort to hack the Pi-Hole server and disable the custom domain blacklists..
Quick/dirty solution to “b” would be deauths though..
BOFH, I am well aware, but it works well.. haha
I wonder if they will go into the drywall and splice off the ethernet line heading to your computer…oh the malware they could inject…
I did that at my parent’s place when I was younger.. haha Telephone line though, for dialup..