hmm. Why cant you manage refreshing of tokens in the activity?
it could eitehr be a seperate activity or the first step in any activity which makes outbound calls ( this way it could be free from workflow code)and as far as retry is concerned you could possibly piggy back on the activity retry itself.
For token validity, genrally most oauth providers provide a token introspect endpoint, which can be used to validate the token, and since you anyway possess the refresh token, you can alway fetch a new bearertoken.
but if you want to pass on the new bearer token value, then you will need to persisit that into the workflow (after freshing the token and may have to return it as your activity response)
and as far as encryption is concerned, this thread has some details