This may very well be the system in use.

I've seen this effect in several places, not just my work.

Of note: I do not work in the tech sphere. I suspect that this particular loophole may be used by IT personnel to be able to tell the management "yes, we block VPN use" while letting them continue to use their own VPNs. I see no reason to complain.

Initiate while on mobile connection or tethered to one (or just leave it connected from home), use while on that WiFi.

EDIT: I figured this out because I brought my laptop from home to do a few things while at work that needed it. I noticed that my Tailscale connection (initially established at home) was working just fine. That's when I realized that it was the initial authentication that was blocked, not the service.

My phone is usually on my tailnet and my iPad is always on it (and using my home exit node), as a result. Using the exit node has a modest but noticeable effect on battery life, but just being connected is maybe 2% of battery a day. Negligible.

Tailscale has another interesting feature that I figured out entirely by accident: while the SSO planes (at least using Apple as SSO, rather than your own) may be blocked, the data planes and actual control planes usually are not. If your device is connected to your tailnet before joining a given WiFi, it will stay connected afterward.

The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.

Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.