Wouldn’t the sign in mechanism (which validates e-mail) prevent this, in the sense than they won’t be able to get a third-party account to authenticate with for a particular e-mail without verifying ownership of that e-mail to the third-party provider?
You address this by only linking accounts once a user has successfully signed in with another provider. That way if their email exists from another provider, you're more certain that it's the same account