The expected behavior is described in the vSphere Client Plugin SDK[1]:

To authenticate by using the Web Services API, the plug-in server clones the user session that is currently in use by the plug-in user interface. This gives the plug-in server the same access rights as the user who is logged in with the vSphere Client.

This means that your plugin authenticates _when_ the end-user logs into vSphere UI and access your plugin, which is where the session will then be cloned from

1 - https://vdc-repo.vmware.com/vmwb-repository/dcr-public/91497cba-e580-415b-a84f-2840c1fb8119/71cc9624...