It would seem then that the key pair is needed on my client in order to make a request to Solid to get an updated access token. It seems like my server has to send the key pair to my client on the initial sign in. Which seems less than satisfactory.
You could keep the ID token, access token and refresh token in a users database, and run every request from the server side of your application. You are bound to do this for when the user is not on the app anyway. However I agree that it’s a problem with DPoP. Namely, if the key was not bound to the refresh token, you could put the key in the client because it would expire in approximately 30 minutes (I think that’s the default configuration for Solid), so harm would be limited in case of a leak.