Would you prefer that anyone be able to request that any non-verified account be deleted?
I'd bet their security system saw you log in from a new IP, maybe even over VPN(?), then change the email and add 2fa, which are exactly the steps a malicious actor takes when securing an account acquired using credential stuffing. They presumably expect that your account has been compromised and are treating you as untrusted until you provide some form of validation that you are who you say you are.
I suspect that if you were to seek legal action against them they would claim that you refused to take basic actions to positively prove your identity and throw out some statistics, ie (making this up) 98% of users are able to verify using their system without any issues.
If you do seek to bring them to court under article 77, would you not then be putting into the public record a permanent association between your real identity and the account you seek to delete? Is that better than simply sending them a picture of your ID? With this in mind, is it worth the cost of legal representation to resolve the issue? I'm not sure where you're from and you don't need to answer me but I would encourage you to consider those questions when determining your path forward.