I have used the one time numbers that my Bank of America card creates and have had to retire a few due to breaches and after they were retired I got a call asking me if I had authorised another charge to that now defunct account number, and I said no, so they didn't let the charge through.
I know for example that credit cards with expiration dates can still be charged for a couple of months after the expiration so that users who have not had the chance to update recurring services have more time to do so. Also, it is entirely possible that Apple had placed a hold on your account for the money and when it finally shipped it went from a hold to actual transaction and that is why it was still allowed through.
I had an amex that was compromised, cancelled, and beyond its original expiration date, and AMEX continued to charge Netflix charges to the old expired cancelled/compromised number ... flowing the charges through to my new account number. To their credit, they removed all of the charges once I caught it, but just helps to know that a cancelled number isn't always a cancelled number even when you've already reported the number compromised.
It's a cancelled number, but what happens (this happened to me on xbox live) is that they continue to charge it because they've got an active pre-authorisation. So when they're charging you, they're actually charging that pre-authorisation. If a different merchant were to try the card, it would fail.
Microsoft charged me for two years after the card's expiration date until I noticed.
I know for example that credit cards with expiration dates can still be charged for a couple of months after the expiration so that users who have not had the chance to update recurring services have more time to do so. Also, it is entirely possible that Apple had placed a hold on your account for the money and when it finally shipped it went from a hold to actual transaction and that is why it was still allowed through.