Deauthorize Sessions doesn't invalidate CLI session

I logged in through the CLI, got the session key, and then listed items with:

bw list items --session <session_string>

Then on the web, under Settings > My Account > Deauthorize Sessions > Confirmed

It logged me out from the web vault, and the phone app. But the CLI was still working with the same session string. I read that remote session can remain valid for 1 hour. However 24 hours later, the same session key is still returning me the data

Is this a bug, or am I not understanding how this is supposed to work?

The CLI session key is local to the device and cannot be remotely revoked. If you try some operation against the server it will fail because the server’s token was deauthorized.