@msatter: Let's try once more. You want to visit https://forum.mikrotik.com. There are two steps:
1) resolve forum.mikrotik.com to numeric IP address
2) establish tcp connection to IP address from 1), negotiate encryption with server and send http request
To do 1), you have several choices. You can send traditional DNS query to port 53 and ask ISP's server or some public one (ISP can see both). You can tunnel these queries through VPN (ISP can no longer see them, but now VPN provider can). You can be sneaky, write down the correct IP address and put it in local hosts file, this way there won't be any DNS query leaving your computer and nobody will see it. Or you can use DoH and neither ISP nor VPN provider will see the query, because it will be encrypted. Whoever runs the DoH server will see it, obviously, but you probably trust them.
Now let's focus on DoH. It's DNS over HTTPS, so there's the HTTPS part and HTTPS can use SNI to indicate target hostname. Honestly, I have no idea if DoH client uses SNI or not. But it doesn't matter, because even if it does, it will contain the name of DoH server, parhaps something like dns01.someprovider.tld. So now ISP or VPN provider would know that you're using DoH resolver. But hey, good news, they can't know that you're asking about forum.mikrotik.com.
And now the problematic part. Browser already knows the correct IP address (which forum.mikrotik.com uses). Browser opens tcp connection to this address and port 443. You're still good, nobody knows anything about forum.mikrotik.com (not counting that they may already know that this IP address belongs to it, but the name is not mentioned anywhere). Now browser needs to get certificate from server, in order to verify that it's really the correct one and there's no man-in-the-middle attack going on. And bam, here comes the "bad SNI".
Browser doesn't know what websites are hosted on target address. It can be just forum.mikrotik.com, it can be other MikroTik's websites, or perhaps some employee can also host a personal blog about kittens there, blog.routersandkittens.com. And each of these sites can have different certificate. If you want to visit forum.mikrotik.com, it would be useless if server sends certificate for blog.routersandkittens.com. Technically, there could be one certificate valid for both, but it probably won't be this case. Perhaps server could send both and client could choose. It would work for two hosted websites. But it could also be more than two, thousands, no problem. Server can keep sending thousands of certificates to each client.
And that's what SNI does, as part of negotiation, client (in this case web browser) tells server "hello, I want to visit forum.mikrotik.com, would you please send me correct certificate?" And the problem is, currently used unencrypted SNI sends this greeting in readable plaintext form. So all the effort to get forum.mikrotik.com resolved secretly was for nothing, because now anyone on the way (either ISP or VPN provider) can see that you're visiting forum.mikrotik.com.
You see the problem now, right?