If you inject the current route match service (current_route_match) and use it inside an access() method, your access check will only work when the user is actually visiting that route in the browser.
However, if access is checked programmatically from another page (e.g., via an access API or a block), the current route match will be from that other page, not the one you actually want to check access for.