technical description of how enforcing commercial data protection works

Microsoft documentation describes how to enforce commercial data protection fairly well, however I'm not finding a technical description of how specifically these methods actually work.  For example, if we enforce using the DNS method, and a user doesn't have CDP enabled on their 365 license for some reason, can they still access copilot?  Or if they don't sign in, can they still access copilot from a work device?