You have to query token validation endpoint to have your reference token validated. That's how oauth2 works. With OpenId connect you get JWT which can be validated without a call to the identity provider.
One thing I've not quite got my head around with JWT is not authenticating tokens with the server on each request - am I really just meant to assume a token is trusted until it's expiry time? What if a user signs out all their sessions in the meantime, or an employee is fired and needs access revoking? As far as I can tell I do just have to use short-lived tokens and renew them frequently but that comes with its own set of problems when doing JavaScript based applications and implicit auth.
Technically JWTs cannot be revoked once they're issued (they just expire). You have to make sure that you delete the JWT from your preferred storage when you sign a user out and issue JWTs for a short period.
You other option is to allow blacklisting of JWTs per client. However, this will add additional overhead of making an HTTP request to check if a token is blacklisted. That's how Auth0 does it in their commercial OpenId Connect provider.
That's the trade off. Either you have "real-time" data but need a database roundtrip or you save latency but must accept the downside. However, you can use short token times to mitigate that, something like 10 minutes for example.