If you're doing any SNI filtering, you can validate the SNI with the certificate passed in the ServerHello (which most tools skip, because that's computationally expensive in comparison). This involves reconstructing message streams as well, of course. You'll also need to figure out how to deal with 1RTT (probably block it).
I don't think it's much more of a pain than it already was. You can disable the feature on your side if you don't want it, and block+log any traffic with ECH enabled. Hell, you can set up an intercepting proxy with your own CA if you want. That way, nothing gets out without at least getting logged.
Of course this becomes quite difficult if you don't own the devices you're monitoring, but that is kind of the point behind TLS/ODoH/ECH.
I don't think it's much more of a pain than it already was. You can disable the feature on your side if you don't want it, and block+log any traffic with ECH enabled. Hell, you can set up an intercepting proxy with your own CA if you want. That way, nothing gets out without at least getting logged.
Of course this becomes quite difficult if you don't own the devices you're monitoring, but that is kind of the point behind TLS/ODoH/ECH.