Canvas fingerprinting by itself won't uniquely identify users. But the idea is that you can combine various different techniques, each one giving you more bits of uniqueness, until you have enough to do so. For example, say that canvas fingerprinting gives you one of 100 possibilities, and you combine it with other techniques that give you one of 10,000 possibilities, then combined (assuming they're not correlated) you get it to a million, letting you uniquely identify people with decent reliability from a decently large visitor pool.

What are some unexpected things that would differ between two iPhones of the same model running the same versions of the software stack?

Good question. I'm not particularly informed on this stuff, so take this with a grain of salt, but my understanding is that mobile devices in general and iPhones in particular are much harder to fingerprint reliably. Things like time zone, clock skew, and ping times might help differentiate users, but you probably can't get it down to a single person. I imagine there's still a use for fingerprinting which helps you differentiate groups of users even if you can't narrow it down to just one.

Actually, checking if a font is available does not require canvas (you can simply inject a piece of text into the page with a specific font stack set and check its width). Rather, what canvas is used for is to obtain the sub-pixel anti-aliasing of a given piece of text, which is different between browsers and OS even when the same font is present.

I would assume that iOS devices are quite hard to tell apart using most of these techniques, yes. But I also wouldn't be too surprised if there were something that works for them, some kind of cookie that isn't cleared by default or ...

Yup HSTS supercookies or some kinds of network fingerprinting will work to distinguish between two otherwise identical iOS devices.