So now I'm able to elaborate a bit more. I'm gonna skip the actual numbers, because I don't know them.
The information would go this way:
From the Application layer you produce it and encrypt it, then the Transport layer splits it into packets and hands it to the Network layer through port 443, which will send it to the AP (via the Link layer), then the AP would check the address and realize it's an external address and send it to the router. The router then checks with the DNS server (I'm not sure how TOR handles name resolution. Maybe it encrypts the traffic?), Then sends it to the next computer acting as the hop. In the middle of your router and the first hop, the Network and Link layer would decide how to route each packet, until it gets to the hop. At this point the MAC address would change many times, even before reaching the hop. Then...
Then the hop puts together the information, decrypts one "layer" and repeats the process, without re-encrypting the information.
I am a bit confused now though, because I'm not really sure if spoofing is that important. Your gateway isn't logging everything each address is sending anyways, and you router's address is not spoofed, so it could still be traced to your home.
As you said, it's probably a lot more useful when you are on "public" networks, but it could still be useful in your own home, if it ever gets traced back to your router.
Access points work more like hubs or switches than routers, they aren't taking the packet in and looking at the address and making routing decisions based on the IP address, the WAP will make switching decisions based on the hardware address. (or just blindly spit out any/everything.
hubs work at layer 1, the electrical layer, the just take everything into one port and spit it out all the other ports.
switches work at layer 2, providing segmentation, the switching that they do is base done on the MAC address, - that's why they keep an ARP table, they know what physical device is connected to what port, so when a packet comes into interface 1, destined for device, aa:bb:cc:dd:ee:ff it's going to know where that device is (which port to spit the data out of by checking the MAC address table.
Routers work at layer 3 to know where the next hops (gateway devices that you need to route through) are.
(This will unfortunately be really long.) -but i'll not mention VPN, TOR, or WAPs,
your Application (web browser) (L7) generates data (get /indx.html)
goes down the stack and is encrypted (L6)
and put into a socket to manage the connection (L5)
it then has a port number assigned, and transport protocol defined (L4)
then the source IP is defined (L3) and routing decisions are made...
next, your packet from your machine 192.168.1.3 needs to get to device 1.2.3.4 (server) your routing table says that you cannot connect directly, but you have a default route that says all non-connected networks go via that address.)
so now we know that we want to reach 1.2.3.4, but are going to send that to 192.168.1.1 (which will accept and forward the packet.
(down to layer 2)
So, your computer now wants to send a message to your router...
so it sends an ARP packet saying "who has 192.168.1.1, tell 11:11:11:11:11:11" your router replies, "tell 192.168.1.3, 22:22:22:22:22:22 has 192.168.1.1"
so now it send the packet to that hardware address. 22:22:22:22:22:22 with a destination address of 1.2.3.4
and it send that via a cable (layer 1) or a radio wave (Also layer 1)
so now the router 192.168.1.1 receives to following "message"
to: 22:22:22:22:22:22
to: 1.2.3.4
from: 11;11;11;11:11:11
from 192.168.1.3
data: xzy
the router says well I AM 22:22:22:22:22:22 but I am not 1.2.3.4 so I know to route this.
now the router applies NAT to the source address, changing it to 10.11.12.14 and attempts to forward to the destination, (all this stuff involves IP so happens at L3)
the router checks its route table, and it says, I have no direct connection to 1.2.3.4 so I need to forward to my default gateway (The ISP device) 10.11.12.14
so the same thing happens again. is will check it's ARP cache to determine the interface to send out of. if it can't find it, it'll send ARP packect saying
who has 10.11.12.14, tell 33:33:33:33:33 (the external interface hardware address)
the ISP will reply, tell 33:33;33;33;33 that 44;44:44:44:44;44 has 10.11.12.14.
And so on.
so by the time you get to the ISP (still nowhere near the destination) the hardware/MAC address has been dropped and replaced from the frame, because it is only useful for communication on the network segment.
repeat for less than 30 hops and the server receives a packet, doesn't ignore it because it is for its hardware address (L2), looks at the IP (L3) and knows it is for it. sees the protocol and port (L4) so attaches the socket, (L5) which takes the data and decrypts it (L6) and then passes it to the server application (L7)
(which then send the response back down through the stack, on the network to the gateway, Nat's back to its external address, over the network to your router, which sees the response from the address, associated it with an entry in the NAT table, knows it is for your computer, sends to your IP based on the cached hardware address MAC associated with the IP, then your PC receives it, sees the port, passes to the open socket, un-encrypts it, passes it back to the application and you see...
"404 page not found" - all that work to realize that you spelled index wrong may paragraphs ago!
(for the sake of completeness, you might find that you home router doesn't ARP at all, instead it has a route statement that send all traffic to a next hop via a specific interface rather than figuring out the interface to use via an ARPing process...)
Either way, hardware addresses are only useful in the network segment that you are on. - This means, if you are in your own home using a cable, then (short of some sort of literal wire tap!) MAC spoofing is not really useful.
if you are using wireless and transmitting your adapters MAC address, and you're worried about the use of things like air crack, and promiscuous packet sniffing on air (from law people inside WIFI range.) then a fake MAC may be useful. (but lets face it, if the police have you pinned down so much that they rent the next door house just to sniff your WIFI traffic, they are probably just looking for the bits that neaten the charges. you're still pretty boned.
If you're doing nefarious "stuff" in starbucks or some other network you don't trust, or don't know who runs. it's definitely something you should consider.
If you plan to use time restricted public WIFI, that tracks devices via MAC address it's definitely something you want to do...
If you want to mess about with planning officials who decided that a good way to track people is to track the detecting network beacon mac address sent by phones, see if there are available networks, to allow them to anonymously track specified people through a city it's definitely something that you should do.
(and anyone using Iphones with IOS 8 or above, your phone will already spoof your mac address whilst sending beacons to detect available networks, because they like messing with town planners too, (and are privacy minded!)