Pretty much everyone has a phone, right? And pretty much every phone has a TPM that can store cryptographic keys and self-destruct rather than ever let them leak, right? So, you need two keys: One proof-of-age key that's the same for everyone, perhaps generated fresh each month by the government, for which simply having access to the key says that you're over the threshold and nothing more. Then, a unique-to-you key generated by your phone that is only used once a month on a fixed date to fetch the latest proof-of-age key. Setting that one up may require visiting a government office in-person once to verify your identity. Then, everyone over 18 in a single nation looks alike to the websites asking for your identity. To ensure they don't sneakily swap out the proof key for targeted individuals, each month's public half would be made public, for all users and websites alike to see. Perhaps have the TPM verify a fingerprint or face match before unlocking the proof key.

And if that's a scheme that a cryptography amateur can come up with in minutes, based on a high-level understanding of TPMs and SSL certificates, imagine what someone who properly understands M-of-N secret sharing, zero-knowledge proofs, and all sorts of other clever mathematical tools could do, given months to refine their design and peers to identify and help correct flaws all along the way!