It's no longer a ban / blacklist. It's a whitelist with extremely strict rules and DPI inspection. You can connect to example.com ONLY if it is whitelisted, and only if you use this specific IP and Port, with this specific TLS handshake fingerprint and certificate, and the first N packets follow these timing / length patterns.

A few weeks ago a very clever way to bypass the SNI whitelist was introduced [1] (SNI spoofing for cloudflare!) but it was subsequently blocked. Some claim that at this moment all outbound TCP connections are terminated inside the firewall / ISPs and therefore methods like [1] based on injecting fake or problematic TCP packets no longer work. It seems like even SYN-free TCP connections (again, breaking protocol) are no longer accessible.

[1] https://github.com/therealaleph/sni-spoofing-rust