JWT doesn’t apply to oAuth o.0 (unless you are doing OIDC which is a different matter)
If someone oAuth’s into my server, the token only exists in the server, and I use a session. So if I invalidate the token (or find the token is invalid), I just murder the session, logging them out of my website. (most likely the same amount of code)
But your work flow is perfectly valid, passing the token to your server then to the API, is basically the same as calling the API in the first place.
You basically just have an API proxy (handy if you are gonna call IGDB which has CORS headers in the way to block front end requests)
Nothing wrong with it, just odd to do it this way to me!