Actually what is happening is the local Bandlab Assistant is opening the Bandlab website in your browser to do auth, and then the Bandlab website is trying to reinvoke the local Bandlab Assistant to let it know that you've authorized. So localhost is the correct URL and there's nothing to worry about regarding devs 'forgetting' to update production URLs.
The problem is browser HTTPS redirection and not being able to verify the local certificate, which Chrome and Chrome-based browsers seem pretty insistent on despite having settings specifically for localhost. I had this problem and managed to get past it by calling the auth URL using Postman with all the HTTPS settings set as leniently as possible.