AES can be used for 3 key sizes: 128, 192 and 256 bit keys. Basically if you are able to use larger keys than 256 bit, then the library is "lying to you" i.e. some bits of the larger key are discarded or compressed somehow. For instance PHP
mcrypt simply cuts the size of the key down to the largest possible size.
Larger key "seeds" are rather common in the world of cryptography. For instance Diffie-Hellman - a key agreement algorithm - usually generates a secret larger than the key size required. So the question of extracting (concentrating) the amount of entropy in a key often arises. If bits are truncated then the entropy in those bits is discarded.
So what is actually used in modern cryptography is a KDF, a Key Derivation Function. If the input - the seed - is a password, you should utilize a PBKDF (Password Based KDF). Modern PBKDF's are PBKDF2, bcrypt, scrypt and Argon2.
If the input is already a key - data that is provides enough entropy (randomness) if taken together - you should utilize a KBKDF (Key Based KDF). A modern KBKDF is for instance HKDF. Note that these algorithms require additional input, so if no additional data is provided it is most likely that the extra key bits are simply ignored.
The cryptographic strength of AES-128 is and stays 128 bits of course. As long as these bits are indistinguishable from random by an attacker, AES-128 should provide enough security for practical needs. AES-256 could be used if you fear breakthroughs in Quantum Cryptography.
So for the answer: "Are AES legal key sizes really the limit?" the answer is a resounding yes. 2048 bit key sizes are more commonly found for asymmetric algorithms such as RSA / DSA. For RSA and DSA the key size is actually rather low, even though it should still be out of reach for practical attacks. Maybe the ciphertext was encrypted using hybrid encryption.