AWS Cognito - Invalid Refresh Token
Another thing that can cause this error: using different user pool clients for generating the refresh token and trying to use it to generate new access & id tokens. It looks like a given refresh token may only be used by the client that generated it.
I've found the answer.
As it turns out, it wasn't really an invalid refresh token; at least in the sense of the object itself.
If you have device tracking enabled, then you must pass the users device key in the AuthParameters (which I wasn't doing).
I read through the description of device tracking, as found here, and it didn't seem applicable for my use-case so I simply turned it off (User Pool > Devices).
The above code worked after that.