Anycast primary IPv6 unusable from 2a01:b600::/32 (AS43989 - EHIWEB)

As the title says, whenever I try to resolve anything using DoH with the anycast primary IPv6 address for my profile name resolution fails because the connection does not go beyond the TLS client hello (profile ID redacted from destination IPv6 address):

root@tsvm:~# curl -v -H 'Accept: application/dns-json' --resolve dns.nextdns.io:443:2a07:a8c0::REDACTED:REDACTED https://dns.nextdns.io/
* Added dns.nextdns.io:443:2a07:a8c0::REDACTED:REDACTED to DNS cache
* Hostname dns.nextdns.io was found in DNS cache
*   Trying [2a07:a8c0::REDACTED:REDACTED]:443...
* Connected to dns.nextdns.io (2a07:a8c0::REDACTED:REDACTED) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs

The same curl towards the anycast secondary IPv6 address completes correctly.

Also, ping.nextdns.io reports reachability errors for the following PoPs:

• zepto-zrh (IPv6)

• anexia-zrh (IPv6)

• zepto-zag (IPv6)

• hetzner-nue (IPv6)

• anexia-vie (IPv6)

• anycast.dns1.nextdns.io (IPv6)

IPv4 reachability is unaffected and other IPv6 PoPs are unaffected as well.

This is definitely an MTU/PMTUD issue between my ISP and those PoPs because if announce 1492 as the path MTU in the IPv6 RA messages the affected PoPs suddenly become reachable.