Airplay uses something called mDNS (apple calls it bonjour) to advertise itself.
Every so often your airplay target devices will send a packet to everything on the network saying "hey I'm at xx.xx.xx.xx, and I can do airplay." Your aTVs broadcast multiple things using this (remote app, airplay, airplay video, homekit, among others). This is also used by your Mac to advertise file sharing.
Internet routers (like what your ISP uses, not something that would be in a home) will not forward these packets. They only work on local networks. and most likely your modem should stop them before they ever leave your house.
So even if somehow your device was directly on the internet, the advertisement won't go far, and without being told who can receive airplay, your phone can't send audio.
These packets are what I referred to in the post above, some VPNs will pass them, but it's not something that's usually enabled.
I'd be more willing to accept your son's friend is playing some sort of prank, and not telling you the full way he's doing it.
If he had a device in your house he could control remotely it wouldn't be a problem to airplay from that. It's pretty easy to setup Remote Desktop on a computer. I'd check your sons computer if it happens again, see if anything looks off, and make sure there's not a second account active, but logged off. Especially if his friend has used the computer.
if your router or modem is still using the default passwords, change that immediately.
if they were using default passwords, go into the port forwarding section on your router, and see if you see anything out of the ordinary. My guess is you shouldn't have any entries.
Another router setting to look at is UPnP, which allows devices on your network to request the router to open ports. With this enabled anything on your network can request to allow traffic back into your network. There should be a page with a list of anything that's been requested. It's best practice to leave this disabled, to keep random devices from opening holes in your protection.
another option is to factory reset your router, immediately change the password, and re-set up what you need. (probably just wi-fi name and password).
It's probably best that only you have access to router settings, so don't share that password. Obviously sharing the wi-fi password is OK.
I'm not saying go and accuse your son and his friend of anything tricky like that, but it's the most logical explanation.
There's no way that it should "just work" with default settings, something more than likely had to be changed.