Like the OP said, How they gonna catch you?
You really think one of the most powerful media companies in the world doesn't know how to do simple detective work?
People are also stupid and use their real names when reselling stuff, or for their personal shopper social media pages. It's easy enough for an amateur doing some basic searching of ebay and Facebook marketplace listings to match people by name and location.
Disneyland has all your personal info on file when you buy an AP.
For example, John P. Smith of Garden Grove, CA is an AP holder. John Smith, with a Facebook location of "Garden Grove, CA" posts 25 Mickey Sipper cups for sale on November 19. Disney sees these listings, searches the AP log for the name John Smith, finds one who lives in Garden Grove, and according to his record, he was in the park on November 18, and he used his AP to get a discount at 25 merchandise locations that day. Disney knows John P. Smith who listed those sipper cups is violating the terms of his AP. Disney revokes John P. Smith's AP. Easy peasy.
Disneyland has a crew of full time CMs whose sole job is combing through social media and internet marketplace listings for people who routinely sell large quantities of Disney parks merchandise. Then, they simply try to determine which ones are AP holders.