The long term workaround for data brokers is to become a first party... have the main website serve your 3rd party JS from their own server under their own domain. That makes it much harder to block.
For your IP+UA hypothetical, the easy fix is to make everyone look the same. IP should be the only personally identifiable factor. Tor and desktop Firefox w/ privacy.resistFingerprinting turned on both do this. Open window not-maximized at 1000x1000 size, use the same UA regardless of what platform & browser version you're actually on, and a bunch of other stuff. That said, I don't know how effective it actually is against modern comprehensive fingerprinting libraries.
For your IP+UA hypothetical, the easy fix is to make everyone look the same. IP should be the only personally identifiable factor. Tor and desktop Firefox w/ privacy.resistFingerprinting turned on both do this. Open window not-maximized at 1000x1000 size, use the same UA regardless of what platform & browser version you're actually on, and a bunch of other stuff. That said, I don't know how effective it actually is against modern comprehensive fingerprinting libraries.