I need someone to answer the question I've now asked tech support 7 times (and have subsequently been ignored same number of times)

Hey there, some devices give you generic VPN blocking tools however they are not an end all as VPNs change often to prevent detection. What kind of device are you using for your home network?

The concern is not "Xfinity Home Security Devices" help related.... Thread moved here to the proper help section.

Well, it may sound like an easy thing to do, but it is not.  You are not going to be able to do it with Xfinity equipment.

What you can do is run all traffic through a firewall including your WiFi traffic.  Use bridge mode on your gateway, the firewall gets the external IP address, you buy WiFi access points or put a mesh network on the internal side of the firewall.  Then you create a LAN rule for the inside that denies all traffic to port 1194 -- that's the default port for most VPN servers.  Port 51820/UDP for wireguard.

Great, but then one of their friends figures out you can run a VPN server on any port.  They may also figure out the magic of ssh tunneling and sox 5 proxies.  Even free open proxy servers.  They crowd source this stuff to bypass parental controls, so if you are not dealing with criminal genius, one of their friends is or knows a geek who will explain it for protection.

What you can do is make an acceptable use policy.  Then cut off access for violations.  They might say fine -- and buy a cell based hotspot.....

Dunno.  Beatings perhaps?

Here are some things you need to consider:  Your kids will be able to circumvent/bypass *ANY* parental controls you may put into place. The kids share how to do it online, and no matter what you do, xfinity makes it easy to bypass any settings.  If you continue to use the hardware provided by xfinity, you will never be successful.  Even with third party hardware, it is very difficult to stop kids from circumventing whatever parental controls you may put in place.  There are hardware firewall devices that you can use that are much, much harder to circumvent, but they are neither cheap nor easy to set up and maintain.  Other options; turning off your modem router when you are not using it so that the kids do not have access to the internet.  Alternatively, you can take away their hardware, such as phones, computers, game consoles, etc, and only allow then access to it when you are home and monitoring what they are doing.  There is also third party software that will alert you when your kids go to places that you designate as off limits, although the kids will eventually get around it. We live in an age when information flows freely, and the kids can find out how to get around just about anything you do in a matter of minutes.  Suggest you set strict limits, and equally strict punishment when they violate your rules.  First offense, lost of internet privileges for 24 hours.  2nd violation, loss of internet privileges for a week.  Third offense, permanent loss of privileges.  This one you have to be strong enough to stick to.  It you take away their privilege, you have to stick to it; they will tell you they need it for school or homework, or some other reason, but you have to be the strong parent.

Easiest method.

Tell them if you find out they're bypassing the restrictions, you'll simply disable their access to the internet completely. 
Give them the benefit of the doubt and once they prove to you otherwise, follow through and introduce them to the world of consequences. 

The tech savvy parents won't disable the internet completely, instead they'll rate limit their kiddos connections back to 1996 speeds and giggle

to themselves as their kiddos have a melt-down over the frustration of trying to navigate the modern internet at 56kbps >:)

Another thing you can do is put in a firewall that blocks outgoing connections by default, configure what is allowed, and add a proxy server for web access.  Otherwise someone will put a VPN server on port 443 so your firewall rules that allow web browsing would allow a VPN connection.  So toss in a proxy server for web access.  You'll probably want a Pi-Hole DNS server too.  Originally it ran on a Raspberry Pi and served as a "black hole" for ad servers, hence the name.  Now a Pi-Hole can run on lots of platforms and there are curated block lists of more than just ad servers, like adult content, etc.  This is serious technical work, will require substantial maintenance, and you won't get it done with "consumer grade" equipment.  Like if the kids want to play a game you'll have to figure out which ports and IPs to open up to allow the game.  But really setting a default rule of "deny" for outgoing connections then specifically allowing things is the only way to block everything unwanted.  I'm a software engineer and I've been in the IT business for a couple decades and this is just too much work.

I wouldn't bother.  I think nehumanuscrede and NoNoBadPuppy have the right idea.  I'd maybe get some parental spyware to install on their phones, PCs, etc. and just punish them if I caught them doing something naughty.  Also you can look into setting up logging to see what machine is connecting where.  If you see something fishy go check it out.