it does not matter under what port including 443 you are running the service, deep packet inspection (DPI) can sniff out VPN traffic, perhaps you may not encountered this type of firewall as it somewhat more expensive to run both computationally and licensing wise.

It is not possible to sniff out DoH traffic via DPI as looks exactly the same as regular traffic

While running flash servers for media use in corporate environment (when flash was still a thing) back I used to run into similar problems with RTMP/ RTMPS constantly.

You can use an HTTPS "CONNECT" proxy to protect your VPN traffic in the same way (I assume that's the kind of setup they were referring to on port 443)