The “de” sub zone would never return an “at” server.
What happens (as I think you mentioned), is that users in Germany are using a DNS server that the system thinks is in Austria. The system only gets the IP of the DNS server, not the NTP client IP.
https://www.mapper.ntppool.org/ is a debug tool that checks the IP of your DNS resolver.
https://www.mapper.ntppool.org/json returns the data, for example:
curl -Ls https://www.mapper.ntppool.org/json
Of course that doesn’t help find miss located servers unless it’s happens to be the one you use…
Given more subnets of German clients hitting an Austrian server and with enough “probes” to the mapper there might be data to figure it out.
A txt query like this gives some debug data, too. Maybe that’s something RIPE Atlas can return for a bunch of probes:
dig -t txt _country.pool.ntp.org