The syntax findOne(…).lean().exec(), as I do not recognize it, makes me think that you might be using an obstruction abstraction layer like mongoose.
If it is the case it might be a good idea to add mongoose in the tag list so that people only tracking mongoose related topics see your post.
How does it behave exactly? Errors or wrong results?
I am not sure you can have projection with exclusion like lastRefreshed:0 and inclusion like the tokens specification. As mentioned by @Prasad_Saya, $slice should work. I would try just using the $slice part. In principal, all other fields will be excluded.