That’s my issue. If I have a cookie for a refresh token, I have to now have a banner saying the site uses a cookie. I have to have a page that explains why. All the while I have the site now looking shady because the banner is synonymous with stealing your data and selling it to ISIS.
If the refresh token is only being used for authentication and expires in a reasonable time for the application then you would not need prior consent so you would not need a banner. You would still have to explicitly disclose what you are doing on some sort of easy to find cookie policy page.