You probably don’t need all of that. You can probably do:
Get-ADUser $user
It automatically runs that against the -Identity parameter instead, and tries to match against name, CN, and samAccountName. I don’t think it matches against surname, though.
Ultimately, what’s probably happening is “$user” is being sent as a literal string to the domain controller, and since you don’t have a user named “$user” it isn’t working. It’s because the script block {} prevents the variable from being evaluated before the filter is shipped off to the DC. People run into the same problem trying to use $null, for example.
As a test, try putting a legit username in place of $user – make sure it works with a hardcoded value, in other words. If it does, then your problem is that it isn’t evaluating $user as a variable but is instead sending it as a literal.