Yeah this changed a few months ago and I stopped trying to keep up with all the changes, relying on the refresh token. There's a long list of discussions on Tim Dorr's Github with varying solutions.
Well my access_token and refresh_token were both revoked by Tesla when they 'solved' this recent vulnerability, so I have to create a new token from scratch. You are very lucky if your refresh token has not been revoked and you can continue to use it.
The discussions on Tim Dorr's GitHub relate to issues that predate this latest action from Tesla.