You’re correct. Over this setup, your IP isn’t directly exposed to your VPN provider. Still, both the VPN and the web site you’re connecting to can fingerprint you. (Your VPN will have a much harder time fingerprinting over HTTPS but some attacks still apply.) If either can match this fingerprint with reasonable certainty to some profile they might already have on you then they can de-anonymize you, and potentially reveal your IP address if it is already associated with that profile.
For this specific use case, you might want to try is Startpage’s Anonymous View service over Tor browser. It works just like a proxy (+ over HTTPS) and is entirely in-browser, so you can rely on Tor browser’s anti-fingerprinting protections. It’s also nice to avoid setting up and potentially misconfiguring more ProxyVMs. Same attacks apply, both Startpage and the web site you want to connect to could potentially fingerprint you, but are going to have a lot harder of a time. Your IP address is exposed to neither.
I’d urge you to try to change your perspective from viewing the IP address as the be-all-end-all for anonymity on the Internet to just a piece of the puzzle. Understand that there’s a lot more to de-anonymizing than just getting someone’s IP address, high- and low-tech, including: analyzing usage habits, analyzing data transfer speeds, getting their e-mail address, spyware in a compromised machine (or a VM), supercookies, malicious Tor exit nodes, GPAs doing traffic analysis, tracking pixels in e-mails, recognizing their profile picture…
There’s a lot of great material to read out there if you’re interested. I’ll recommend Whonix’s “Do Not” guide:
Or as an Onion: http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/DoNot