When using the following command with a valid refresh token:

roadrecon auth --refresh-token "XXXX" -s "https://graph.windows.net/.default openid profile offline_access" -c c44b4083-3bb0-49c1-b47d-974e53cbdf3c

The server response with:

"AADSTS9002327: Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests."

I debuged the issue and found out the problem is the user agent. After setting it to a browser like value, the call works as expected.
Maybe it is possible to add a parameter for the user agent.

Interesting. Adding custom user agent support is on my short term to-do list. I did make some changes recently to support the scope parameter with the auth, which apparently triggers this new behaviour, will have to look at a fix for that.