Absolutely DPI.
Complicate, block all outgoing connections except HTTP/HTTPS/MAIL.
To further complicate HTTP and HTTPS through a proxy.
Additionally, group policies prohibit the launch of VPN clients.
Well, the most important thing. There should be an order prohibiting the use of such funds in a company with the appropriate sanction, then traffic analysis by users and the application of this order.

You need a normal firewall, not a screw one. Or a proxy
With Windows, you can only allow outgoing http\https and DNS requests. Deny the rest And that's it ....
but there may be a problem with third-party software. and I think that the same ovpn will get through on port 443

DPI is needed here, but in general, if there are allowed types of traffic to the external network, then hypothetically you can hang a tunnel. The same chisel allows you to wrap TCP traffic in an HTTPS tunnel to your server. So we need not just DPI, but a full-fledged MitM.
It is worth approaching the task in a comprehensive manner: prohibiting the launch of applications on workstations, except for those necessary for work. But if the users have their own cars...

Normal firewall and normal proxy
No traffic passing around the proxy
Analysis of statistics and checking all the most voluminous addresses to find out who is forwarding tunnels masquerading as https. However, a call to the Security Council and the question "Please explain what these addresses are and why they have so much traffic" will also be effective here?
Such a task cannot be solved by purely technical means - only by administrative and technical ones.