LogonUser() not authenticating user for invalid domain when computer is not on a domain
I believe that workgroup members don't support domain logons so the domain parameter is ignored. This explains what you are seeing.
You can confirm this. Try to authenticate using a real domain user (ensuring there isn't a local account with the same name). The logon should fail.
There is an exception. If you use the LOGON32_LOGON_NEW_CREDENTIALS
flag (which amends the existing logon rather than creating a new one) then a domain logon will always succeed because it isn't authenticated until you attempt to access a remote resource.