Validations at domain model level are validate at insert or update at database level. so if your data which you POST originate from the database, its validated. If it is entered by a user, but didn't hit the database, no validation has taken place. In these scenarios you should validate in the microflow before POST activity
https://academy.mendix.com/link/modules/95/lectures/770/8.3-Validation-in-Microflows
Sounds like access rights are not set up correctly in the domain model.