This is fingerprint protection caused by Enhanced Tracking Protection set to Strict or Custom with "Suspected fingerprinters" enabled.

Is there a way to exempt certain fonts from this?

For context, I have a userContent.css file which overrides the monospace font used in `code` and `pre` elements with a different font I have installed locally, which has now stopped working because I also have the enhanced tracking protection stuff enabled. Tbh I have no idea how this system works internally, but I feel like there should be a distinction between a website trying to access a local font (in which case it might be fingerprinting, and thus should be viewed with suspicion), and the userContent stylesheet trying to access a local font (in which case it clearly isn't fingerprinting, since the user intentionally created/edited the userContent file, and explitly put that font name in there).

Fingerprint protection is all about uniformity so creating exemptions for specific fonts would defeat any benefit. You should assume that font overrides or userContent.css can be detected by sites in some way, whether directly or indirectly.

You can disable font protection by going to about:config and changing privacy.fingerprintingProtection.overrides to -FontVisibilityBaseSystem,-FontVisibilityLangPack.

Would it not be possible for the browser to distinguish between the CSS requesting the font or some evil script asking for it?