I have a UDM-P (current firmware) that is pointed to a gateway that is hosting pihole. If you do not have pihole (or something similar) I suggest you check it out. I am wondering if there is a way to have another network (VLAN) go through the pihole and a VPN service like Nord.
Don’t use unifi kit myself but was running Pihole a couple of years ago.
The way you probably need to set it up in your scenario, is have your VPN vLAN devices pointing to the PiHole then your Pihole pointing to your VPN DNS servers. Would be straight forward with 2 Pi’s though if you had only one I’m not clear how you would be certain you have no leaks.
Feels like a lot of clutter to me, if you switch to pfsense then you can have network-wide ad-blocking from the router, no leaks whatsoever when used with a VPN service.