That would be one way. In the VPN provider scenario if the ISP can snoop on both the incoming and outgoing traffic that can correlate the two by analyzing the timing and packet sizes. This is how Tor can be defeated as well but it's much simpler to do to a VPN service since they prioritize speed over privacy more than Tor.

This could be as simple as connecting the dots between you logging into your ISP account to pay your bill via the VPN.

This is one specific way in which a VPN is a poor solution to protecting privacy. It means the user has to constantly be on guard to which traffic should go over the VPN and which should not. Even one single slip up could negate all the benefits you think you are getting.

Edit: This reply should have been a couple levels higher, addressing the general tracking discussion rather than NATs specifically.