Users are linked based on email address. When WordPress is rendered, it'll use the default XenForo login process and cookie and either pick an already linked user account, create a new link based on email or create a new account if no match could be found.
If you're absolutely positive that it is showing a user that should not be linked to that XenForo account, this might be the result of an agressive cache that is instead showing the rendered page of a different visitor.