You can't refer to recordset values directly in security rules. They will be out of scope... also if both the Session variable and Recordset value don't exist, they will match and access will be granted.
The solution is probably to just verify the TeamID session variable exists as the rule.