So your absolutely correct, once you have the JWT from the underlying OAuth process it will work across all cluster members based upon the lifetime of the bearer token.
There are a few things to be aware of and some of this relates back to the underlying PUB/SUB architecture.
In short, updates {POST/PATCH/DELETEJ} can only be made when there is an active PUB in the cluster, why you ask, well because the PUB is the only node with write capabilities. So if you say PATCH against a SUB, it will proxy the command to the PUB to update the Db. If the PUB has gone done or the PUB is transitioning to the standby-PUB the HTTP PATCH will fail. Not that the PUB should ever go down and if it does the standby can be configured to automatically take over.
I'd prefer not writing to the VIP but to the 'real' address.
HTH