I have Beryl 7 on firmware 4.8.7 connected to router that's connected to modem.
I'm using Proton VPN on wireguard + ControlD as my encrypted DNS. I have allowed custom DNS to override VPN DNS.
I can't get Prime to work on Android TV because it detects my VPN, even though I have excluded Domains. It works on Android phone and tablet.
Any suggestions to how I can get it work on Android TV?
If you really want to figure this out I would recommend to do a tcpdump on this device on protocols 443,853 and 53 for unknown domain names.
You may want to save it to a pcap file and open it in wireshark to have optimal control.
Likely it is bypassing your dns, and maybe is even leveraging DoH or DoT you need to downgrade it by blocking it, doh wants ip blocklists.
But if you want to keep it simple why not exclude devices mac or ip?
Edit:
Also try to check if your dns is not showing a vpn dns for some reason hence you use controld and dns overriding, if the vpn tunnel had a DNS entry hardcoded like on Mullvad you may see leakage, it was something I have noticed a very long time on gl firmware but I have been told it should have been fixed, just check it to be sure with dnsleaktest.com on the excluded devices even a mismatch on vpn dns origin can make the detection think you are on vpn 
^ and to add for ipv6 sakes, maybe temporary disable ipv6 in it's whole to ensure devices don't hang on a old RA with a working ipv6 vpn dns, make sure the tv is rebooted.
In my experience, if you use encrypted DNS with Proton, Prime will detect the VPN. You just have to use Proton's own DNS to make it work normally.
First part sounds complicated.
I don't want exclude the device because there are things I want to be on VPN connection.
I tested for dnsleaks, however only 1 server found and that the ControlD one.
Running ipv4, but did try ipv6.. no luck
Just weird nothing happens on my other devices running Prime with the same setup.
I don't want to use the VPN for prime, so I had hoped it could be bypassed on the router.
I would try to use this for the first part:
First install screen, this allows you to have a passive ssh screen without closing it, so you can do whatever you like for a couple of days until it is done capturing.
opkg update && opkg install tcpdump screen
To start the screen instance and tcpdump within:
screen -dmS prime tcpdump -i br-lan and host 10.234.53.4 dst port 53 or dst port 853 or dst port 443 -w /tmp/prime.pcap -W 1 -C 50
This starts a screen with the name prime and capture around 50mb in /tmp/prime.pcap, the /tmp folder is basicly a ram disk so after reboot the file is gone, you need to replace the ip to your own ip of the prime device you want to record.
With screen -ls you can see all open screens, and with screen -r <sessionname> you can connect, inside a detached screen you can do: ctrl+c to terminate tcpdump and screen, and with ctrl+a+d you can detach again, and make it run headless so you can disconnect from ssh without interupting the capture.
When it is done, you can surely terminate it faster before 50mb though but the more the more you can learn about the device networking.
Then use winscp and connect to your router similar like filezilla make sure the protocol scp is selected and use the same ssh credentials as the web ui.
Then load this prime.pcap file in wireshark and analyze 
Also maybe 50 is too much, after reading this is about a Beryl 7, you can change the 50 in the -C to a smaller number
If the tcpdump command fails there will be no spawned screen, you may want to check the tcpdump command directly without the screen -dmS part and see what the error is, I tested it on my own router and it works, but again I'm not using the gl software I can't guarantee if a segmentation fault could happen, then it is a compile problem in their tooling.
