This seems like a lot of extra work for really no additional value here.

1) If you care about http only secure cookies, make sure to choose an auth provider that does that, Authress for one.

2) If you are going to do the ip address check, every thing else is irrelevant anyway. It's better to do improve fingerprinting rather than add unnecessary storage technology.

3) You can store the tokens in memory instead of in localstorage. This avoids most of the problems and prevent browser dumps, and untargeted XSS frequently doesn't know where to look or what to call.

4) Cookies are a challenge, there are some ways to do it right, but a lot of ways to do it wrong. In this example is may work if you have one API that is coupled to one UI (as frequent is PHP land). But as soon as you have microservices, this can't work. Tokens need to be shared between sites/domains/etc.. and work with third parties.

5) If you still care about all this, use DPoP which creates token binding with the user agent, then you don't even need to worry about exposed tokens.