It seems like the solution is to provide an age verification mechanism with robust privacy protections. That way when we offer a solution that works for all of their states concerns, if they disagree with the privacy preserving approach we force them to say outright "I want to keep a record of every website you visit."

Unfortunately not. They will use even the most privacy preserving protocol to push remote attestation of end devices. Which in itself is a stepping stone making their next steps much easier.