Can't they detect that the session cookie is coming from a different IP than the one it was originally issued to?

Technically that's possible but there would be too many false-positives. People would be signed out every time they took their laptop home from a coffeeshop or connected over a mobile hotspot.

Yes. Facebook has implemented features to try to keep their users signed in, even if the user indicates that they want to sign out. Therefore, Facebook wouldn't want to sign people out if they go to a coffee shop.

They could use your local MAC or maybe detect the local radius of your IP (eg if you suddenly appear from a different continent then send a confirmation email). Sure, people using Tor might get burnt but those use cases are likely less common than those who are getting their session cookies hacked.

A carrier-grade NAT could make you change IP address. TOR will do it. You would cause yourself more problems if you would start to bind a session to an IP address.

Yeah and turns out CGNAT is ubiquitous among U.S. mobile phone carriers (which is a huge market for Facebook)

IPv6 privacy extensions are generally considered a feature