I bet you've never worked on an e-commerce system then because none of your suggestions work against e-commerce fraud, and you'd literally lose all of your money:
switch off of the web into an App: Can't just shut down your website. Also, device farms and VM farms are super common so it won't even help.
require sign-ons against an internal system for authentication: Sure, you can require your users create an account. Accounts can be created by the thousands by bots. Even if you use captchas, captchas don't work, and even if they did I can find you 100 people who will sign up for accounts manually and sell them to you for 10 cents a piece.
policy people actively: I assume you mean police people effectively. Kind of hard to "police" your customers when a huge percentage of them sign up once, buy something, and maybe only come back 3 years later. In the meantime, their super simple passwords may have been hacked and leaked 10 times already. Maybe you should require your customers all use 2FA. Let's see how many customers you have remaining once you turn that on.
But here's the thing - it does cost money and customers to properly authenticate people. 2FA will lead to less sign ups but it will give you a more secure user base - in a world where DAU is the number to live and die by then security is compromised in order to help float that DAU stat. For sign-ons collect a per account activation fee or subscription fee - if your goal is to only have real users then enforce that with money, if your goal is to allow people to freely browse your site unless they're abusing your site then yea - that's where fingerprinting comes in, and it comes in because that isn't a solvable problem. If you want to know who your users are you need to be upfront about collecting that information securely and if you want any old joe who gets a link to immediately get sucked into browsing your site and looking at ads then just stop basing your business off of dark user patterns - deliver value, charge fairly for that value, realize that lots of potential business ideas would never be profitable because people simply can't be bothered to actually put out money for that service.
This whole fingerprinting debacle is part of the ad-support web assumption, and the assumption that websites can be entirely ad supported is false outside of exceptional circumstance and certainly highly limiting and concerning for free speech - expecting a business to be ad supported, that's pretty much an impossible dream, we're living in a bubble where advertisers and marketers continue to sell lies about the ratios of converting views to actual sales.
Like many things in life, the fight between good actors and bad actors online is a state of dynamic equilibrium.
Everybody loses money to fraud, but as long as they invest enough money and resources they can keep those fraud losses to an acceptable level. Because criminals are infinitely creative, the problem will never be "solved." There will always be new moves and new countermoves.
Total security is an illusion. Everyone who's worth hacking or worth defrauding will get hacked or defrauded sooner or later. The people who have made the necessary investments are able the contain the damage. The other ones, or the really unlucky ones, end up dying off.
Total security is possible but unrealistic. In our modern world we have terrible baseline security, we can do better with some trivial adjustments that the market is countering with a strong disincentive because we as a society haven't placed a clear value on security (outside EU where GDPR has flaws but is an attempt to reward good actors).
This is essentially equivalent to a tragedy of the commons mixed in with a race to the bottom - companies are currently penalized for practicing good security, they are voluntarily accepting lower profit margins in exchange for something nobody cares about, they're also losing access to some supplemental revenue through reselling customer data. If we add decent incentives and make it economical to follow a "good" path we can increase our baseline of security, hacks will always happen but we can minimize the costs of those hacks and their frequency with best practices.
Heck - my standard line with companies w.r.t. PII is that "Your proposal is essentially to collect everyone's alarm code into your safe, your safe has gone from something nobody is interested in to something that, if compromised, could lead to a bunch of people being burglarized." the issue is that over-collecting PII and then, shucks, losing it in that completely unavoidable security compromise, doesn't lead to appreciable punishment for the company - in the real world it sure does (if your locksmith copies your key an extra time then gets burglarized and the burglar uses that extra key to burgle your house the locksmith is absolutely liable and may be found to be a conspirator). It's anomalous that these two worlds are in contrast.
All that said, I absolutely agree that it's a balance and there aren't super simple answers here, but it's important to reject the thought that being as vulnerable as most businesses are is acceptable.
switch off of the web into an App: Can't just shut down your website. Also, device farms and VM farms are super common so it won't even help.
require sign-ons against an internal system for authentication: Sure, you can require your users create an account. Accounts can be created by the thousands by bots. Even if you use captchas, captchas don't work, and even if they did I can find you 100 people who will sign up for accounts manually and sell them to you for 10 cents a piece.
policy people actively: I assume you mean police people effectively. Kind of hard to "police" your customers when a huge percentage of them sign up once, buy something, and maybe only come back 3 years later. In the meantime, their super simple passwords may have been hacked and leaked 10 times already. Maybe you should require your customers all use 2FA. Let's see how many customers you have remaining once you turn that on.