db/access.php only sets the default role mapping that is only read when module is installed (or a new capability was added).
Check the Student role and make sure that this capability is set to prohibit there.
If you do not see this capability when editing the role - make sure that you have bumped the plugin version and ran upgrade