Update refresh-tokens.md

[tyfrth]

This was pointed out to me in this community post: https://community.auth0.com/t/device-flow-refresh-token-is-client-secret-really-required/93066

The primary use use-case for device flow uses a native application (the app type created previously in the doc/tutorial) where a client secret is not required - Adding the warning to make it clear that this parameter should only be included if using a confidential client.