Yes that is a little confusing given that there are two types of token, the bearer token and the refresh token! Oauth is very complicated 
Rclone uses the refresh token to get a new access token.
Yes it updates the config file and this may include a new bearer token and a new refresh token. (Some providers the refresh token only works once).
It stores whatever refresh token it got back in the config file.
No. Rclone gets a new access and refresh token when the expiry is past.
This should be enough
{
"access_token": "XXX",
"token_type": "Bearer",
"refresh_token": "XXX",
"expiry": "2023-04-27T11:23:01.095252814+01:00"
}
I hope that helps!