I didn’t have the answers to your questions. but are you familiar with Honeywell home thermostat Binding? It’s that the same API or a different one?
And this is very unlikely to be the first binding that needs to save a token like that so surely there’s an add-on that can be referenced for an example.
Oauth2 is pretty standard so I’m certain dealing with the refresh token has been done before. Unfortunately I’ve not coded a binding line this so can’t help any more than this