What is a definitive “bad user” response from server-side validation of a refresh token with Apple Sign In?

Question

Apple Sign-in enables servers to create a refresh token, which can be checked for validity at most once per 24 hours. E.g., see What's the purpose of "Verify a User