As long as your observations relate to clients that were by-passing Pi-hole at the time, it is impossible that Pi-hole is involved at all.
With DoH, a browser's DNS requests will by-pass Pi-hole, and using VPN client software will usually do so as well for all DNS traffic from a device (as confirmed by your nslookup
listing NordVPN's DNS server).
Pi-hole does take the necessary steps to signal Firefox it should disable DoH (by providing the appropriate answer for Mozilla's canary domain).
Still, if you'd have explicitly configured your Firefox to always use DoH, it will do so and thus by-pass Pi-hole.
For other browsers, you also want to verify that DoH is switched off to avoid Pi-hole by-passes.
You should first establish a verified configuration that is not by-passing Pi-hole by any means. Also make sure to clear your OS's and browser's DNS caches.
Then repeat your tests with the Amazon website, and if you run into blocking issues then, How do I determine what domain an ad is coming from? may be helpful.