An access token is known as a bearer token. It is presented to a resource server (like the eventsub endpoints) and hence is considered disposable (hence its short lifetime).
A refresh token affords an extra layer of security because it is only ever presented to the authorization server (OAuth server) in combination with your client secret for purposes of obtaining a new access token. Refresh tokens typically have a much longer lifetime than access tokens.
As I understand it, refresh tokens only come into play with User Access Tokens, as those have a short lifetime. In the case of App Access Token, you will never have to deal with refresh tokens. You simply request a new App Access Token using your client ID and client secret from the authorization server.
On a sidenote, you can almost always use a User Access Token even if an endpoint requires only an App Access Token.