AppLinks assetlinks.json appears not to be used for validation

I'm implementing app links on Android. Our server team have hosted assetlinks.json on our dev end point /.well-known/assetlinks.json.
In my apps manifest, I've written the intent filter as per the official documentation like so:

<!-- Intent filter for supporting deep linking (referred to as magic login links) -->
<intent-filter
    android:autoVerify="true"
    tools:ignore="UnusedAttribute">
    <action android:name="android.intent.action.VIEW" />

    <category android:name="android.intent.category.DEFAULT" />
    <category android:name="android.intent.category.BROWSABLE" />

    <data
        android:host="@string/app_link_login_host"
        android:scheme="https" />
    <data
        android:host="@string/app_link_login_host"
        android:scheme="http" />
</intent-filter>

Now, as I understand it, when the app is first run, the Android OS will search the manifest for all intent filters which contain a host/scheme pair, where autoVerify=true, and the VIEW action and DEFAULT and BROWSABLE categories are present. It will then go to the host URL and request the assetlinks.json file from the /.well-known/ path, and use the SHA hash and package name within this json file to validate the app is allowed to accept deep links from the given host. If this succeeds, then the app should be flagged as status: always with respect to links provided from the host within the intent filter. If it fails, then the app would be flagged as status: never for the host.
However, our server team have setup a new endpoint for staging and they have NOT uploaded the assetlinks.json file to the /.well-known/ path (in fact they haven't hosted it at all). Yet the application is still hooked up to accept links from the host specified in the manifest (when it should have failed validation due to no assetlinks file being present on the end point).
This is when I realized that perhaps the dev endpoints assetlinks.json file was never being used for verification of the application either, and I've only just noticed because the deep link still worked on the staging environment (when it shouldn't have).
Is this a bug with Android OS (in other words, it's not doing assetlink checking at all?). And yes, I did an uninstall of the old application that was pointing at dev server before installing the version that points at staging...
Here are the official docs:
https://developer.android.com/training/app-links/
And here is the paragraph in particular which is the root of my problem (as it clearly states that if ANY of the hosts do not resolve an assetlinks.json file at the /.well-known/ path (including validating the retrieved assetlinks.json file against the client application) then the application will not be hooked up to accept the links (i.e. status: none).

When android:autoVerify="true" is present on any one of your intent filters, 
installing your app on devices with Android 6.0 and higher causes the system to 
attempt to verify all hosts associated with the URLs in any of your app's intent 
filters. Verification involves the following:

The system inspects all intent filters that include:
Action: android.intent.action.VIEW
Categories: android.intent.category.BROWSABLE and android.intent.category.DEFAULT
Data scheme: http or https
For each unique host name found in the above intent filters, Android queries the 
corresponding websites for the Digital Asset Links file at https://hostname/.well-known/
assetlinks.json.
Only if the system finds a matching Digital Asset Links file for all hosts in the 
manifest does it then establish your app as the default handler for the specified URL 
patterns.

from AppLinks assetlinks.json appears not to be used for validation