Device fingerprinting in what way?
There are three main types
1) Baked in fingerprinting. This is things like a device returning a serial if requested, or embedding it in data/requests. There are some protocols where it is baked in but this is more security focused devices/setups than anything too common on the internet. There are some things where it is covert (the world of warcraft screenshot one being an interesting case there, though the classic would probably be laser printer yellow dots) and others where it is overt.
2) Unintentional soft fingerprinting. I can't imagine there are too many people with my fonts, my apparent resolution, my cookies, my browser, my location (though proxies/using another wifi might evade that), and probably even fewer that which used those previous things and visited GBAtemp, romhacking.net, youtube and bitchute in the last however many minutes (if you control a TOR endpoint or enough of them..., or hack a computer to use your proxy service). Even user agent switching has some fun side effects at protocol level -- one day I will have to find the talk again but the gist of it was the order in which requests for information come might well be different between browsers and thus you can tell what is what, and what is a switched agent and while this was nominally for bot detection it is trivially twisted here.
3) Unintentional hard fingerprinting. This is things like the classic this camera has 6 dodgy pixels in this unusual patten. Find another video or photo with this pattern of damaged pixels and it will likely be the same, see if there is more juicy info in these.
It will also vary with level of control. A website can run javascript and under normal circumstances can't do much more. Flaws in the browser or a hacked browser (while it is open source and signed do I check? Can't say I ever have).
A closed source game given ring 0 access (because cheaters and pirates don't you know) is a whole other kettle of fish.
While you can attempt to eliminate everything it is a hard game, not necessarily an impossible one in some senses. You also have the option of going wide -- I can filter a small handful of fairly accurate data quite easily but give me terabytes of the stuff to filter and I am probably going to have a far harder time unless there is a secondary fingerprint that gives it all away.
Also while "those with nothing to hide" is a terrible philosophy there is something of interest in it all -- why do you seek to hide and what does doing all this accomplish above and beyond basic "don't use social media, don't post your name, don't post your address, indeed maybe make up some plausible sounding alias/identity and go with that"? You can go one further and isolate a machine you went and bought in cash somewhere -- even better if that machine is a basic Windows 10 machine with stock fonts running a 1080p screen with default taskbar behaviour, maybe stock firefox (or firefox with adblock and some other choice stuff to frustrate efforts) and visiting one website at a time, each in porn mode as there has got to be millions of those at any one time.
To answer the above question I imagine it is similar to the browser stuff I mentioned. Window's network stack behaves rather differently to Linux's (and BSD's and Apple's and on and on and on), indeed I have made use of it before to hack things -- many attacks using SMB file sharing (popular for routers) actually need Windows as samba is too close to proper protocols whereas Windows will ride roughshod over things. Depending upon the nature of your firewall (never mind ipv6 in many common setups) or the nature of the exploit (if you allow flash or full java to run in the browser say) even within a VM there can be some things done to feel out the network, even more so if you do some of the passthrough options rather than the more virtual network card options.
Does TOR (or perhaps more accurately for these purposes the TOR browser) make everybody's device appear identical these days? Doesn't that break a few websites that rely on resolution being sent back in?
I have not assessed recent firefox efforts on the strict privacy front but I would not expect too much here (more likely a combo of do not track which is not meaningless but not too far off and maybe a blacklist of some tracking cookies), or if it did then it would break quite a few websites.