They are validating the token, each time a user logs in to their service is a ‘request to their service’, and the session expiration is set short enough on most sites that use Twitch for login so the user is forced to log in again (this can even been done seamlessly without user interaction as long as they haven’t revoked the app). They don’t need to validate again each time you load a different page, or some event triggers, that would be impossible.
Yes, this does leave a window where a user a can log in, and then revoke the app access and continue using the app for as long as the session hasn’t expired. But that’s why session expiration is short to minimise that window of time.