Am going to guess the resulting sandbox reports that network is connected, but has no route to whatever DRM/anti-cheat/always-online endpoint is embedded in the Windows game.

As opposed to network reporting disconnected if you turn off your networking with nmcli.

I'd guess the logic for some games is if connected; then if not server-is-reachable; then assume nefarious; fi; fi...

jimbobmcgee‭ Interesting - I'm not sure if that's true, but it would certainly explain it if so. Any idea on how I can confirm it?

It depends if you can afford for the game's network traffic to actually reach home.

For capturing outbound network traffic, I'd use tshark or tcpdump to write a pcap file, then examine it in Wireshark. I'd be looking for the differences between network traffic when I was sandboxed vs when I was not.

You'd need to run the capture inside your sandbox, alongside your game, and I don't know if bwrap would let you do that. Maybe bwrap a shell and invoke both commands from that same shell?

At a lower level, you might look at strace to invoke the game and spool a lot of debug info while it is running, but you'd need more specialist help to interpret the results.

That's a good idea - I'll give it a try next time I run into this.

With bwrap, it is indeed possible to capture diagnostics both inside and outside. Outside will include the activity of bwrap itself on top of what the program inside does. Both might be interesting in this case.