use non extractable CryptoKey

https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey#Parameters

This way even if some script manages to steal refresh token #4 it will not be able to get the private key, which that token stays bound to.