Thanks @rueben.tiow
Our solution: we don’t use api.access.deny() anymore but use api.redirect.sendUserTo('https://{auth0_tenant}.eu.auth0.com/v2/logout?returnTo=https%3A%2F%2Fexample.com').
With this, the not-allowed user will be logged out immediately after the login and gets redirected to the specified returnTo URL.