I think the "user" which is the client_id in this case should be encoded while getting the access token renewed.

This document explains the details / steps for the same - https://community.snowflake.com/s/article/How-To-Generate-renewed-access-token-using-Refresh-Token-in-OAuth2