Help me out with Split Tunnels and Android Private DNS

Hello all,
I am using an MDM to set the private DNS on Android to our filtering policies on Cloudflare Gateway. This is working great for the most part, however occasionally we have an app that needs to use a domain that is blocked and that we do not want to allow system wide access to.

This would seem to be able to be solved by using the Cloudflare One app and Split Tunnels.

However, I am having trouble getting this thing to behave like I would expect and am hoping someone can chime in here with a little advice.

Here is what we would like to achieve:

  1. Set the Private DNS server on the device to a filter policy that only allows access to these specific URL’s
  2. Send all other traffic though the Cloudflare One VPN except for excluded apps which would be resolved using the Private DNS settings on the device.

This approach would allow us to apply different policies to excluded apps rather than no policies and would mostly disable internet access on the device if the Cloudflare One app would stop for some reason.

Any help or other ideas on how to achieve this would be appreciated.