I’ve finally found what was the problem. There were two firewall rules for blocking all TCP and UDP traffic for:
C:\users\xxxxxxxx\.platformio\python3\python.exe
I’ve now changed that firewall rule from Block to Allow and added TCP port used by OTA (the one configured with --host_port) and IP range of ESP32 boards as a condition for applying the rule and OTA now works without disabling the firewall.