Why does a deauth attack work on WPA2 despite encryption?

The use of encryption in 802.11 is limited to data payloads only. Encryption does not apply to the 802.11 frame headers, and cannot do so as key elements of 802.11 headers are necessary for normal operations of 802.11 traffic.

Since 802.11 management frames largely work by setting information in the headers, management frames are not encrypted and as such are easily spoofed.

To prevent deauthentication/disaccotiation attacks, the IEEE implemented the 802.11w amendment to 802.11. This provides a mechanism to help prevent the spoofing of management frames, but both client and infrastructure need to support it (and have it enabled) for it to function. You can find a bit more information on 802.11w in my answer here if you wanted to learn more.

That's one of the major problems with the 802.11i standard. Deauthentication frames, as well as all other 802.11 management frames, are not encrypted. As you observed, anyone can craft deauthentication frames or any other management frame.

802.11w was introduced to fix this issue, allowing for protected management frames (PMF). If a device requires PMF but receives an unsolicited management frame (e.g. deauthentication), it can ignore it. However, it is not widely adopted and does not completely solve the problem.