Upgrading from IdentityServer v6.2 to v6.3 causes invalid request related to proof of possession

[brkmover]

Which version of Duende IdentityServer are you using?
v6.2.5

Which version of .NET are you using?
net6.0

Describe the bug
When upgrading to v6.3 we experience that suddenly when calling the connect/token endpoint, with a refresh token, we receive the following error.

{
    "error": "invalid_request",
    "error_description": "Proof of possession can't be used on subsequent token requests unless used when requesting the initial refresh token."
}

To Reproduce
Steps to reproduce the behavior.

We call the connect/token endpoint with the following first.

{
    "client_id":"abc",
    "client_secret":"{{_client_secret}}",
    "scope":"openid profile email organization-selection offline_access",
    "grant_type":"password",
    "username":"[email protected]",
    "password":"123456789"
}

Then we make a call to our own custom endpoint, see the code here https://gist.github.com/brkmover/57350b1afe450f3d83ff35f25d40aab5. Note, this code works in v6.2 but not in v6.3.

Using the refresh token from the above custom code in the gist we make another call to the connect endpoint as follows.

{
    "client_id":"abc",
    "client_secret":"{{_client_secret}}",
    "grant_type":"refresh_token",
    "refresh_token":"{{_refresh_token}}"
}

This now results in the PoP error.

Expected behavior

Retrieving a valid token using the generated refresh token.

Additional context

We are using the Starter edition license.