Why invalid_grant error with "Session doesn’t have required client"?

Question

I have an app connected via oauth2-proxy to Keycloak and generally everything runs fine.

Just sometimes I see the following error in the oauth2-proxy logfiles:

unable to redeem refresh token: failed to get token: oauth2: cannot fetch token: 400 Bad Request 
Response: {"error":"invalid_grant","error_description":"Session doesn't have required client"},
removing session.

The corresponding message in the Keycloak logfile is this:

org.keycloak.events
type=REFRESH_TOKEN_ERROR, realmId=xxx, clientId=xxx, userId=f:ce9d954a-de51-48a4-a70b-xxx:xxx, ipAddress=x.x.x.x, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=bb77d7aa-c061-45d4-b2f7-fe938d5537cb, client_auth_method=client-secret

I found the same error message in e.g. What does "Session doesn't have required client" mean? but that problem was for Keycloak 4.x while I'm using the latest 16.1.1. Additionally, I don't use remember-me sessions.

The source code has this message only in oidc/TokenManager.java where problems with "cross-dc environment" are suggested but we don't have a cross datacenter environment, just three instances in the same Kubernetes namespace installed with the latest Helm chart.

What else could possibly cause this problem?