Am I Overthinking My App’s Security Before Launch?

Hey everyone! I'm wrapping up an application I've been developing for a client over the past eight months. I built the entire thing on my own, using mainly online resources for guidance, despite being a computer science grad. As we get closer to launching, I've been really anxious about the app's security, especially since this is my biggest solo project to date. I have about three years in software development, but I mostly worked on internal tools or CMS projects in the past.

For this app, I utilized FastAPI for the backend, MySQL for the database, and React with ShadCN on the frontend. The app is a single-page application (SPA) that allows for multiple accounts. Here's a summary of the authentication flow:
- Users log in via the frontend, receiving an access token and a refresh token from the backend.
- Access tokens go in session storage while refresh tokens are in local storage.
- Multi-account data, including tokens, is stored as an array in local storage.
- Access tokens expire after 15 minutes, whereas refresh tokens last for 30 days, with refresh token rotation in place (the old token becomes invalid after use).
- If an old refresh token is detected, all sessions for that user are invalidated.
- I've also planned to implement a strict Content Security Policy (CSP) to tackle XSS risks since some tokens are in local storage.

However, I've read that storing tokens in local storage might not be the best practice. I'm worried I might need to rethink the security model, but I have also reached the point where major changes would compromise the project's architecture. So, considering my setup, should I be worried about security, or is it good enough to launch? This is really keeping me up at night!