Nothing wrong with your approach, but it may be unnecessarily cautious.
You can just change the KDF in the web vault, which will automatically deauthorize all of your logged in devices and log you out of the web vault immediately. It may take up to an hour for some devices to be logged out after the deauthorization, so if you want to ensure that all devices are using the new iteration count, then you can manually log them out.
Unlike a rotation of the account encryption key, your encrypted vault data are completely unaffected by a change to the KDF iterations, so there is no risk involved in continuing to use devices that are still using a deauthorized token (at most, you may get unexpectedly logged out when trying to update a vault item or sync the vault). For this reason, a vault backup is probably not necessary (although it couldn’t hurt, as long as you are careful with the security of your backups).