The DNT header must be honored by the remote service, similar to robots.txt.

Since the browser itself stores the cookies, it has the absolute authority to stop them.

So is this just going to be a different/easier way to configure per site cookies?

Actual legal backing.

Has anyone been successfully sued/fined/punished under GDPR in a meaningful way? Clearly TC still gets away with this nonsense.

Yes.

https://en.wikipedia.org/wiki/GDPR_fines_and_notices

Google, $50M; Marriott International, £99M; British Airways, £183M; 1&1 €9.5M; etc.