Laravel Sanctum and Cookie-Based Authentication Security

So I have a SPA set up to authenticate with a Laravel application using Laravel Sanctum's suggested cookie-based authentication.

I'm having a bit of a hard time understanding the security surrounding using the cookie-based sessions however. From what I can see, if I authenticate with my Laravel application, I receive the session in a cookie in my storage client-side. All well and good, and expected.

However, if I then request some data, and then proceed to log out of my application, then send a request for data with a previous request in the network tab, I get the data returned, despite having previously attempted to unauthenticated with Laravel. This seems to me like Laravel has not invalidated the previous session.

Take the following scenario:

• Send GET to /sanctum/csrf-cookie
• Send POST to /auth/login with above cookie (and auth creds)
• Send GET to /auth/user with above cookie (receive auth user back)
• Send POST to /auth/logout with above cookie
• Session should be invalidated
• Send POST to /auth/user (using first cookie, or resend first /auth/user request in network tab)
• I get the /auth/user data back, after attempting to logout

I can't fathom that Laravel would allow this to be a thing, so I'm somewhat confident there's a step I'm missing somewhere.

The following is what I have in my logout controller at present; I've tried with and without the web guard, with and without the session invalidate calls. Is there a "right" way of doing this, or is this just some flaw in the way cookie-based sessions work; are they only stored client-side? Should I be able to request data again and be authenticated?

Auth::guard('web')->logout();
$request->session()->invalidate();
$request->session()->regenerateToken();