Apple uses an RSA-bound access token that's not linkable back to you and a public/private key system to verify your access to the ingress proxy server.
The connection uses QUIC, which is meant to be like TCP but with lower latency and HTTP/3, and because Apple encrypts the connection, even your ISP can't see where it is on the web you want to go. All they see is the connection to Apple's ingress proxy server. So, Apple knows your IP, but not the website you want to go to because that's encrypted.
At that point, Apple will strip away your real IP address and replace it with a temporary IP address from a pool of available addresses. This can be a local IP address, if you still want to be able to get local services or search results, for nearby Slurpy Burgers, for example, or a rando IP where the most someone will be able to get from it is your country or region.
In iCloud Internet Privacy settings, you can switch between Maintain General Location or Use Country and Time Zone for the temporary IP at any time.
Apple then forwards your connection on to a second relay, an egress proxy server. That server isn't owned by Apple. So it could be… Cloudflare or something similar. There are a bunch of different egress proxy servers and a token-based system to randomly assign them, which is like another layer in the privacy sammich