Well, T_USER matches:
("{USER}",T_USER)
// which is defined as
("USER", "({UNRESERVED})+" )
// which is defined as
("UNRESERVED","{ALPHANUM}|{MARK}")
So, it takes any series of alphanumeric characters (as well as 'marks', which is irrelevant now)
T_DOMAINLABEL matches:
("{DOMAINLABEL}", T_DOMAINLABEL)
// which is defined as
("DOMAINLABEL", "({ALPHANUM})+")
As you can see, any T_DOMAINLABEL token is always a valid T_USER token. So, there is no way it would ever get a T_DOMAINLABEL.
This is not because of "the token not matching", it's a result of tokenizing being eager and not doing backtracking (outside a single token).