From my understanding, they are somehow able to intercept DoH and block queries to restricted domains. Perhaps it is through unencrypted Server Name Indication, hard IP blocking, or otherwise.
If you have access to a cloud VPS server, I would suggest you try running an Outline VPN Server instance. https://getoutline.org. By far, it is the most resilient to interception tactics. It was designed for easy use by journalists to bypass censors. Shadowshocks is harder to detect them other VPN types like Wireguard because those don't try to hide themselves at all. They (the IT department) would need some serious kit to detect that kind of traffic and differentiate it from https.
Although, beware that using it 24/7 will still look suspicious to any IT Admin because then all your traffic is going to a single weird server.
VPN are easy to block even if they run on HTTP\HTTPS ports and are encrypted
Connection characteristics for VPN connection are very different from a legit HTTPS connection..
They cannot prevent you from connecting on the port, but HTTPS connection does not stay connected for long and any long lasting connection can be dropped by their router preventing you from keeping the VPN for longer then a few seconds\minutes.
If you have access to a cloud VPS server, I would suggest you try running an Outline VPN Server instance. https://getoutline.org. By far, it is the most resilient to interception tactics. It was designed for easy use by journalists to bypass censors. Shadowshocks is harder to detect them other VPN types like Wireguard because those don't try to hide themselves at all. They (the IT department) would need some serious kit to detect that kind of traffic and differentiate it from https.
Although, beware that using it 24/7 will still look suspicious to any IT Admin because then all your traffic is going to a single weird server.