Depends on the system. If you use JWTs for authentication only, they still serve a purpose. Sessions also only serve as authentication, not authorization. Authorization is independent of the both systems, and it depends how you implement that.

There are systems where the authorization is done in the JWT too (i.e. scopes/permissions in the token) - in that case you are right.

It definitely violates DRY but if you keep passing the JWT down the call chain, you can do redundant permission checking in your business layer.

Now the reasonable response to the above is that this should be happening in a dedicated authn/z concern - and that is correct! But when paranoia is called for, it's not unreasonable to have redundant checks in logic where authz is critical.