I captured any HTTPS requests that overlay was doing - it includes POESESSID. The one thing I don't understand is how did GGG determine that it's specifically overlay? My best guess is the User-Agent, since its specifically stating that its Chrome running on Linux under X11... but there's no direct thing that just states "hello GGG trade site, this is PoE Overlay". Maybe the millions of requests from those specific individuals is using the same exact User-Agent (to hide botting activity and scapegoat Overlay? oh boy, conspiracies!)
As for testing the tool responding to 429, a very brief and uncontrolled test made Overlay actually just sit there and indefinietely display the "Searching..." box without any other requests after the initial POST to the API. After trying to price check multiple items, Overlay just flat out doesn't make an attempt. Again, the test was just a brief one using Fiddler's AutoResponder and an auto-respond 429 with a Retry-After of 5.
edit/update: I manually triggered 429 by just spamming price check on random items in a dump tab - Overlay correctly reports that you're being rate limited, though any previous price checks that succeeded in the /trade/search phase will still attempt to do the /trade/fetch request (and, as one would expect by now, fail at it). Though, it does not re-attempt any of these requests as far as I can tell.
edit2: Looked at Overlay's source for the User-Agent thing - it's randomly generated, just so happened that the run I tried it on I got X11/Linux/Chrome... Either way, the point still stands: How is GGG detecting that these API requests are coming from Overlay specifically?
devtrackers.gg