I went down a similar rabbit hole recently with unbound as a caching resolver, where it appeared to work on my real computers but didn't on phones. I took a pcap and found that my Android 10+ devices were refusing to use the good-old port 53 DNS my unbound jail was serving because it wasn't DoT. Once I set up unbound with real certs _and_ set it as each device's "Private DNS", it worked as expected.

Your issue might be different but I suggest taking a pcap to make sure your assumptions about what is answering a given DNS query are true.