There might be an easier solution here, if the access token is just a JWT, would it not be possible to add a policy claim to the access token?
If so, then you can just use the JWT auth method which will do internal token translation from the
Regarding the internal token swap, where are you going to get this internal token from? If you can add it as a claim, then you can use context variables to perform the header substitution.
If the token needs to be looked up, then you can use a post-auth MW (your gRPC code would run exactly one step after the JWT auth middleware) to just replace the header with your computed internal token. Then yo udon;t need to generate a session or worry about it existing, you just need to trade external for internal.