I would suggest getting a packet capture of a client passing traffic to the YouTube video without restrictions, to verify the source(s) that need to be contacted.
It’s been awhile since I’ve done this specifically, but two thoughts. 1) allowing google.com will break captive portal detection for most Android devices and Google places most services behind that domain. 2) cloud video content usually comes from various sources and cdns. Since it’s embedded in the browser content, it looks like google.com it YouTube.com to the user, but the actual sources requested or served will be different.