According to our documentation:
unauthorized(401): represents an invalid token. If the TrueLayer token is expired, refreshing it should fix it. Otherwise, the end-user must re-authenticate.
access_denied(403): the user is successfully authorised but does not have permission to the particular request.
Both issues do not happen during a token refresh, only when requesting data (accounts, balances, transactions, etc). For token refresh errors, check invalid_grant.