Canarytokens are simple by nature and are designed to retrieve as much information as possible. The information returned in the token alert solely depends on the type of token that has been triggered.
For example, the PDF token uses DNS for its alerting channel. This means the PDF token will only alert you on the IP address of the last DNS server that handled the request and will not contain the internal IP address of the attacker.
The MS Word token, on the other hand, uses both DNS and HTTP for its alerting channels. If the HTTP request is successful, the alert will contain more information. It is also possible that the HTTP token will include the internal IP address. This depends on a bug within the attacker's browser that leaks the internal IP address. If the bug is not present, the alert will not contain the internal IP address of the attacker.
The good news is that even if the internal IP address is not alerted on, you still have a starting point for your investigation:
Location of the token (e.g., File Server, Laptop, etc.)
We also have MS Word & MS Excel (Macro-enabled) tokens. These Macro-enabled tokens will return more information (including the internal IP).