Finally, I’ve found the solution by looking at the Keycloak’s source code: https://github.com/keycloak/keycloak/blob/9cbc335b68718443704854b1e758f8335b06c242/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#L169. It says:
If the client is a public client, then you must include a “client_id” form parameter.
So what I was missing is the client_id form parameter. My request should have been:
POST http://localhost:8080/auth/realms/<my_realm>/protocol/openid-connect/logout
Authorization: Bearer <access_token>
Content-Type: application/x-www-form-urlencoded
client_id=<my_client_id>&refresh_token=<refresh_token>
The session should be destroyed correctly.