You don't need to. The reason fingerprints are problematic are because you can't get rid of them. They link all of your activity together into a single profile that you can't turn off.
Take a step back for a second -- why is it problematic to be able to link information to someone's real-world identity? Because who I am -- my address, my name, my face, and so on, is very difficult to change. It's a problem because once you've linked an activity to me in the real world, it's now permanently pinned to my identity.
So with that in mind, what is the difference between tracking where I live and stalking me in the real world, and tracking what devices I live in and where I go online? In both cases, you're taking away my Right to Hide, and forcing me to use a single profile that I can't walk away from or operate outside of.
Certainly, the difference isn't that the real world is harmful and the digital world isn't. You can abuse, stalk, price-gouge, censor, and deny service online just as easily as you can do it offline.
If you have a persistent identifier for me, that links only to me, that allows you to recognize me on every website I visit, and if I can't escape that identifier, then you have already traced that information back to me as a person. Knowing my name or my address doesn't matter, those are just facts about me. 'I' as a person am the persistent identifiers that point at me.
By asking some site which has PII of yours to look up the fingerprint and associate it with the PII. Like, anyone you've ever given an email address, phone number, or credit card number to.
Sure, let's give a hypothetical but quite plausible example. Let's say that I run website ABC and the ad intermediary scripts make a note that fingerprint XYZ visited my site.
They then give that data to Facebook who some days later records a visit from user srbby with the fingerprint XYZ, so they know that "srbby" with phone number 123455 (which fb has) visited site ABC.
Also, your aunt has your phone number in her contact list and she (as a few other people, to make it certain) lists a name "Bob Smith" for it, so FB can link that user "srbby" Bob Smith phone# 123455 visited site ABC.
Afterwards they sell that data to some ad agency that combines it with location data from either your cell phone provider (the major US cell providers sell such data) or some driving or taxi app to note your travel patterns and extract where you live and work.
So they know that fingerprint XYZ has the following (long) list of user accounts, visits sites like ABC, has that particular phone number, most likely is called Bob Smith, and most likely lives in such and such address and works at ACME Inc (or drives there every morning for another weird reason). For some fingerprints some of that data will be wrong, but it's mostly accurate, and definitely accurate enough for their prposes.
They don't really give all that data around to every advertiser just because (well, not for free), however, whenever an ad "auction" asks "heeeey, who's going to bid the most for which ad for fingerprint XYZ?" then this is the profile that's going to be used to make the winning, most targeted bid.
You can go to my ISP with a warrant and ask for their records. Which means that interestingly an IP address is only PII if the entity that holds it can lawfully request that information.
Using that logic, a browser fingerprint would also be PII if the ad network can use it to determine who you are, or presumably if they can link it to other PII.
You do it by matching it up to other records with my fingerprint or name.