Odd. I have never seen this behavior with my Android talking to my home firewall which is using a LetsEncrypt wildcard cert. DoT has worked fine since well before 2021 and still does as of right now. I am just using Unbound DNS locally and that forwards over DoT to Unbound DNS servers running on a few VPS providers. What they are describing sounds more like the intermediate cert is missing or installed incorrectly. kdig may still work if the node they are running kdig from has the right CA certs for LetsEncrypt thus negating the need for the intermediate cert.

Is your server sending the signature by an expired CA certificate (DSA)? If not, there is no problem (article author explained the fix).

I followed his fix and only after removing DSA from my certs Private DNS started working.