Good question, and I do not have THE answer.
However, having an API exposed and not having multiple sessions for an API user could result in issues when the integration is consumed multiple times at the same time, using the same API user. In case where each API call requires an unique API user, this wouldn't an issue. Though I see multiple sessions for a single API user as more common. As in most cases it is used per app and not per user of an app.
TLDR: an API-user is functionally not the same as a normal app user.
If there would be a case where a single session per API user should be enforced, Start the microflow with retrieving the API user sessions. if 1, continue, if 2 end microflow and change response to a 401 not authorized or something like this