Solved: The problem was using commas instead of spaces as separator for the list of scopes when refreshing tokens. Commas are accepted when refreshing for personal Microsoft accounts (MSA) but only spaces are accepted when refreshing for work or school accounts (Entra ID fka Azure AD). Thankfully Microsoft says an improved error message is coming soon.
Make sure to use spaces not commas when separating your scopes for the Graph API.