No need to hash imo, since if you get breached they’ll probably nab the code to which describes how to unhash it since you need to unhash for use.
A given access token is only valid for 4 hours (using code flow)
If the access token is leaked can’t do anything with it if it’s 4 hours old.
and so far you only are reading public data, so you can’t do much with the token.
The refresh token is only useful if an attacker also aquires your client secret. and if you reset your leaked client secret then all the access tokens die after 4 hours and all the refresh tokens are useless the moment you reset.
So hashing is unneeded in my opinion.
Follow counts can also be pulled using any token
So depending what you are doing you might not even want to store user tokens are all.
After the user signs up to your service you jsut store their username/ID in your database, and you can everything else with an App Access Token that is used only in real time/running memory not stored in the database.