"force browsers to use a CA they control" is an essential ingredient. The article you linked mentions they have performed some CA trickery but does not mention anything about them having done it "for decades" and does not indicate that it is a widespread phenomenon.
More explicitly: blocking individual YouTube videos requires control of the routers all traffic flows through AND control over the encryption of that traffic. If they cannot read the encrypted traffic then they do not know when a banned video is being watched. To date they have not exercised that level of control, they have not implemented a way of banning individual videos and it would be difficult for them to implement.
Using a CA they control is only essential if they don't want to be caught. However, I would assume most webrowsers in China are using CINIC certs. At that point it would be trivial. Just return a different DNS entry, and have your CA verify it. Sure, pinning might alert some people that something is going on, but what are they going to do about it? I could have done it 10 years ago with WCCP and a bluecoat.
But yes, I was wrong about them openly breaking SSL for decades. Doesn't mean it would be difficult.
More explicitly: blocking individual YouTube videos requires control of the routers all traffic flows through AND control over the encryption of that traffic. If they cannot read the encrypted traffic then they do not know when a banned video is being watched. To date they have not exercised that level of control, they have not implemented a way of banning individual videos and it would be difficult for them to implement.