Ideally you'd want to be running Tor with transparent proxying of all traffic on a physically separate (and locked down) host. I believe there are guides on how to do all that on a raspberry pi out there.

On your primary browsing/whatever machine, I believe (but have not exhaustively researched) that it would still make sense to run inside a VM/container, because that would provide a much more 'generic' set of system characteristics (MAC address, clock jitter stats, CPUinfo, etc) than your actual hardware. It does provide a greater attack surface, so you'd have to weigh up the value of potentially masking physical identity vs likelihood of gaining root due to VM exploits.

There's also the risk of overconfidence because of these measures, which might lead you to overlook important details in the host OS, or in your communication habits.

Another option is to run an amnesiac OS on a material that is not re-writable (CD-R). Note this would replace the VM, not the separate Tor machine.

There are plenty of ways to breakout of a VM. What if the VM has a filesystem that is readonly by the host?

Drive by download, cookie fs drop, etc. Attack the indexing server, file previews, etc.

You really want to run the VM on an external host like a raspberry pi and the VM should different than the host running Tor.

Tor should really be rewritten in a Coq proven Haskell program.