True. Luckily (?) most keyed/authenticated NTP setups I've seen still use port 123, so they get broken automatically on the port redirect method. Which I'm fine with.
Of course, nothing stopping anyone from using a different port for NTP requests, then it is a cat and mouse game (or a protocol identification/fingerprint game - depending on the technology available and complexity/admin burden you want).
Oh, one more thing.... If you have Docker available, there are a number of containers that implement NTPD as a stratum 2 server. Can spin one of those up in <10 seconds (if you are a Docker user, of course, and if you aren't, you should be. ).