We can only identify someone by hardware hash since we already know the (person, hardware_hash) connection. If you already know the person, you do not need the hardware_hash as well to build a profile, nor does the hardware_hash provide additional information.
Orion gave quite a clear explanation on why an IP address is personal data, yet a hardware ID isn't. Knowing someone's IP address gives you a relatively easy way to find someone's location, while knowledge of the hardware id does not point to the physical pc. The only way you can find out which pc a hardware id belongs to is by hacking as many computers as possible and hoping you get lucky.
Article 4(5) of GDPR defines pseudonymization as: "‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;".
By using pseudonymization methods, you separate all the identifiers so that nobody can link them to a specific person. However, GDPR makes it clear that pseudonymous data is still considered personal data if the data controller or other party is able to reverse the process of pseudonymisation
(which I assume is the case for WBMM).