Laravel will share sessions to all subdomains?

I currently have an application running Laravel as an API and a SPA app as the frontend, they reside in a domain myapp.com, the api is at api.myapp.com and the frontend is at app.myapp.com.

I'm using laravel sanctum as the authentication package and they're working fine, no errors or bugs of any kind, but something got me thinking, i'm planning to deploy a hotsite at the main domain (myapp.com), and one of the steps of installing/configuring sanctum as a SPA authentication alternative is to define a .env variable called SESSION_DOMAIN and setting it to .yourdomain.com, which in my case would be .myapp.com, and a .env variable called SANCTUM_STATEFUL_DOMAINS and setting it to spa.yourdomain.com which in my case would be app.myapp.com.

With that in mind, if i deploy a hotsite using laravel at the root domain (myapp.com), wouldnt it mean that the session from the API would be shared across the apps since the SESSION_DOMAIN variable is set to .myapp.com (which translates to all subdomains and the root domain)?

I tried to set the SESSION_DOMAIN variable to app.myapp.com in the API .env, but the browsers refuse to use the cookie saying that "this attempt to set a cookie was blocked because its domain attribute was invalid with regards to the current host url".

The API uses a database connection as a session driver and the hotsite would use a file session driver, the hotsite would not have any authentication method, but laravel still uses sessions to control user agents.