> since these tokens are almost always something like "15 minutes since the last use"

No? They’re almost always “15 minutes since the last use, or 5 hours since it was created”, which results in a completely different security picture.