@alonsabi I am seeing the same behavior. See this post
It appears that the expiry does not apply to the individual refresh token, but the chain of tokens generated after the user initiates the OAuth2 flow. I see a repeatable pattern of the rotations working for exactly 30 days, followed by a 403.
Still waiting on a response from Atlassian… We may have to fall-back on OAuth1, since it is pretty unreasonable to ask app users to periodically re-auth.