AWS Cognito - Invalid Refresh Token

Another thing that can cause this error: using different user pool clients for generating the refresh token and trying to use it to generate new access & id tokens. It looks like a given refresh token may only be used by the client that generated it.

I've found the answer.

As it turns out, it wasn't really an invalid refresh token; at least in the sense of the object itself.

If you have device tracking enabled, then you must pass the users device key in the AuthParameters (which I wasn't doing).

I read through the description of device tracking, as found here, and it didn't seem applicable for my use-case so I simply turned it off (User Pool > Devices).

The above code worked after that.