For what it may be worth, here's a most basic (but fully working) config for running Unbound as a DoT-only forwarder:

  server:
      logfile: ""
      log-queries: no
  
      # adjust as necessary
      interface: 127.0.0.1@53
      access-control: 127.0.0.0/8 allow
  
      infra-keep-probing: yes
  
      tls-system-cert: yes
  
  forward-zone:
      name: "."
      forward-tls-upstream: yes
      forward-addr: 9.9.9.9@853#dns.quad9.net
      forward-addr: 193.110.81.9@853#zero.dns0.eu
      forward-addr: 149.112.112.112@853#dns.quad9.net
      forward-addr: 185.253.5.9@853#zero.dns0.eu