This is a big assumption here, but your users have to somehow put in their wifi SSID and password right?
Can they put in the anvil login email and password as well? The info could be gathered from the pico config file and the uplink could use the anvil.users.login_with_email() method, then call a server function who would be able to access the user row from the users table using anvil.users.get_user() to apply the pico’s unique ID to that specific already authenticated user.
Or do a riff on this suggestion below, entering a unique auto-generated code on the pico as a challenge of possession, either by entering the code into a file on the device, or displaying a code on something on the pico that you can then put into the webpage to authenticate that you are in possession of the item.
You could even have the pico emit some number of built-in LED blinks as a unique code, then you don’t even need a display!