I may be leading you down the wrong path here … I am thinking in terms of standard OAuth flows.
If I understand what you are trying to do, you want PowerBI/Qlik/Tableau to access your Graphql API on behalf of the user. I’m not exactly sure how this would work in PowerBI/Qlik/Tableau, but the usual model is: the user authorizes PowerBI/Qlik/Tableau to act (query the API) on the user’s behalf. PowerBI/Qlik/Tableau would use the resulting access token to talk to the API. Once the access token expires, PowerBI/Qlik/Tableau would go back to the authorization server to request a new access token, for which PowerBI/Qlik/Tableau needs the refresh token.
@James.Morrison might have someone else on here who can confirm the approach.