This article explains why using api.access.deny in a post-login action does not clear the session.
This is intended behavior. The post-login action is executed after authentication. When the action is executed, the user has successfully authenticated, and a session has been established. The api.access.deny function applies only to the current transaction and prevents the issuing of the access token.