Usually it uses your IP address first, bit it’s not the only information in cases where the IP address is a known VPN or similar. Are you saying you were tunneling over TOR the first time?
When you switched to VPN you didn’t mention what browser. If it’s one that supports advertising IDs, that could be used, for example.
And when you connected to copilot did you get a captcha popup? If so, did you have to actually solve a captcha or click a button? If not, then it likely is getting information from somewhere that you are trustworthy.
Clear all browser data, make sure enhanced tracking protection is not disabled for the site. Go to a site that tells your IP address and verify it’s the Tor endpoint to verify the setup there is correct. Then try again.
Also, assuming you’re not clicking through any popups to allow tracking info or logging in to any accounts on this browser beforehand. If you log into a Microsoft account or any other account for a site that Microsoft gets info from first, it can use those logins to track you. You can disable this in the browser, but so many sites will break without it.
Most could, but most are also designed not to because adding a virtualization type of layer allows for ways to circumvent it. Anticheat needs to trust the environment it is running in so it can rely on the information. Wine is designed to replicate things it trusts in Windows, but not actually necessarily replicate the way the kernel actually does those things, so the things they are relying on might not mean the same thing as the do in Windows. So they’d need to analyze and possibly implement things a bit differently. This takes time and money and for companies like this, the customer isn’t the user, so they have little reason to cater to users needs. Pro gaming and a few online game companies are their primary customers and they generally don’t want to support Linux anyway.