You can temporally set the tokens to expire since the default is 10 hours. And here's details about the windowstokenlifetime setting: https://social.technet.microsoft.com/Forums/ie/en-US/6d5e4d3e-5aa2-4cf1-93b5-03a473df74ee/what-is-difference-between-windowstokenlifetime-and-logontokencacheexpirationwindow?forum=sharepointadmin
Try these links:
https://www.sharepointdiary.com/2014/10/active-directory-group-membership-sync-issue-solution-sharepoint.html
https://www.vioreliftode.com/index.php/active-directory-security-groups-and-sharepoint-claims-based-authentication/