Neither DNS-over-TLS nor DNS-over-HTTPS do require authentication.
The solution you seem to be striving for will hence result in you running an open resolver, regardless of ports used.
The only reliable way, known to me, to safely access a cloud-based Pi-hole without publically exposing it as an open resolver is by means of a VPN.
As for your other request:
You could explore EDNS(0) to fix this, see Support for add-subnet option from dnsmasq (ECS/EDNS0 Client Subnet).