Accounts: How to revoke a resume token for a specific service?

I’m trying to implement the Sign In with Apple workflow based on Apple’s best practices. Apple allows people to revoke a sign in using their web-based Apple ID maintenance website at

Once the user does this, they will signal your server about this. Apple expects that users that are currently logged in would be kicked out of their session, as described in this video at 11:30:

However, since Meteor’s resume tokens don’t store the service they have been created for, I have no way to tell which of the resume tokens should be deleted for this purpose.

I could delete the whole service entry. But this would prevent the user from signing in with their Apple ID again, at least to the same account. Apple informs the user about this potential consequence when they revoke the consent, but I think it’s not a good practice to permanently lock-out a user from their account in this situation.

And even if I did, this would not kick the user out of the session anyways, since the resume token is still there. The only option to sign the user out would be to revoke all resume tokens, which would kick the user out of all sessions on all clients, even if they have used another login method there.

Did I miss something here, or is there another way to handle this situation in a way that I can explicitly revoke a resume token for a specific service?