The issue with media sites these days are that they use content delivery networks which use different dns names and IPs which are regionally distributed. This makes using a traditional netdestination with DNS name (*.youtube.com) not possible. The YouTube page will load, but the actual media streams will end up blocked.
Newer controllers support AppRF 2.0 in AOS 6.4 which is actually able to fingerprint the YouTube traffic and allow you to use it in a session ACL.
You could try allowing *.googlevideo.com but that may not catch everything.