Blocking Cloudflare WARP

Hi everyone
We are trying to block users from bypassing our web filter using Cloudflare WARP (1.1.1.1).
We do not have Active Directory (AD) or GPO controls. Users are running WARP as portable apps directly from USBs (or people who’s already downloaded it before we noticed) so endpoint/execution-level blocking is out of the question.
Our network architecture is constrained: a WatchGuard firewall NATs all LAN traffic into a single IP address before passing it to our core FortiGate.
The problem we blocked the standard Cloudflare CDN IP lists, but already-registered/installed WARP clients bypass App Control by falling back to TCP/UDP 443.
What are the exact destination IP ranges and custom ports used strictly by the WARP client/WireGuard/MASQUE tunnels (and not standard Cloudflare CDN web traffic) that we can deny on both firewalls?
Any advice on blocking this connection fallback without breaking standard web traffic to sites hosted on Cloudflare? Thanks!