Why does CNAME Cloaking enable cross domain tracking?

Recently, as browsers start blocking 3rd party cookies, a risky technique known as CNAME Cloaking emerged. It is said that this technique enables trackers, especially those in the online advertising industry, to continue to track users across domains and across the web.

From https://medium.com/nextdns/cname-cloaking-the-dangerous-disguise-of-third-party-trackers-195205dc522a:

Let’s assume you visited website1.com that includes a third-party tracker from Tracking Company, then website2.com that also includes that tracker. Tracking Company would know that you visited both sites…

As I understand, in CNAME Cloaking, the browser doesn’t know a given external resource (such as image, iframe, or JS) is an alias to a 3rd party site. So if a user is on website1.com, the browser will still store and send first-party cookies to img1.website.com, which is an alias to trackingcompany.com.

My question is on how CNAME Cloaking establishes linkage for the same user across domains. As a specific example, say website1.com stores/sends its first-party cookie containing w1_id to Tracking Company, while website2.com sends/stores w2_id. How does Tracking Company link w1_id and w2_id it gets?