Http Cookie is indeed restricted to use for one domain only. yet, that restriction is imposed by the Browser and as far as the Browser concerned, it only deals with the public endpoint of the website (the domain name localhost
in your example), it doesn't care or knows whether that end-point is actually a load-balancer that will (internally) delegate the request to another host.
When ARR delegate the request to one of the hosts, it append the cookie value to the request as well.
Moreover, ARR itself may rely on a cookie to achieve affinity ('stickiness').