The solution to avoiding tracking can't be on the client side, because it's not the client side doing the tracking. So it should be obvious that the law can't target the browser, it must target the server.
This is not only sane, it is very obviously the only way it could be done. Remember, the law isn't about cookies or headers or anything specific: it is a law about user tracking. You're delivering JS that paints a font in a hidden area of the screen? It's then measuring the results and reporting data back to you to track this particular user? Then you need to ask for consent. The browser can't possibly know the intent of the code it is running, so the browser can't be made responsible for protecting user privacy.
This is not only sane, it is very obviously the only way it could be done. Remember, the law isn't about cookies or headers or anything specific: it is a law about user tracking. You're delivering JS that paints a font in a hidden area of the screen? It's then measuring the results and reporting data back to you to track this particular user? Then you need to ask for consent. The browser can't possibly know the intent of the code it is running, so the browser can't be made responsible for protecting user privacy.