IPv6+DOH/DOT+TLSv1.3 SNI-less handshake

It makes any snooping on our network connections more complicated, isn’t it?
Enumerating/blacklisting the IPv6 address space is hard. IPv6 allows us to get as many addresses as needed, so SNI extensions turn useless. DOT/DOH and a TLS handshake encrypted since the first message do the rest. What caveats might appear?
Willing to block SNI-less connections are already doing this. Those, who chose not to adopt IPv6, will remain restricted to IPv4 for ten years or so. I suppose, decisions have been made. No ‘forensic’ will be surprised or scared :).

There are a few caveats and details I can think of:

  1. One difficulty is TLS fingerprinting. Even with encryption, the fingerprint of the TLS handshake can identify the connection as being from circumvention software. See for example OONI’s recent trouble with the Go net/tls fingerprint on certain hardware configurations. TLS fingerprinting is not impossible to overcome, but it needs some effort.
  2. The censor can identify proxies using active probing unless there is some form of client authentication.
  3. If a proxy will only be used by one or a few users, it’s not a problem, but for a proxy shared with many people, you need a way to distribute the proxy’s network address (and possible client authentication) to real users without the censor also learning the address.

First of all, my proposal is not about current Internet censorship champions like China or Turkmenistan. Quite probably, both China and Turkmenistan are already blocking the SNI-less TLS connections. The former is known by blocking just all fast DOH/DOT resolvers, the later will never adopt IPv6.
Of course, TLS fingerprinting can somewhat determine client software. But using ordinary web clients is what I’m thinking about.
And I hope active probing will not be feasible for a league ‘B’ spying/censoring country with too many ‘strange’ connections to check.