Honestly, nothing surprises me here. If the user registered via VPN, deposited, and lost a billion dollars, there wouldn't be any issues.
But the moment it comes to a withdrawal—any kind of withdrawal—suddenly "rule violations", KYC, and accessing from an unauthorized location become a problem.

In this case, it’s simple: just stop the user from playing, but let her withdraw the affiliate commissions she’s earned.

Why is that a problem? What law is stopping you from doing that? But no, casino owners are well-known for being immoral, greedy scumbags, and honestly, they all act the same way.

Does any casino require KYC before the user requests a withdrawal? Of course not.