A users access_token will only work with the consumer key it was generated with. Once you deactivate an old consumer key the user access_tokens generated by it will stop working.
The general approach is to follow is to have all current user’s access_tokens associated with consumer key A. Once you deploy a new consumer key B all new authentications will use that and their new acces_tokens will overwrite the old ones and be associated with consumer key B. When doing work in the background you will have to make sure the consumer key associated with the acting user gets used.
User’s will naturally migrate to the new consumer key as they authenticate with your app. As you get closer to wanting to deactivate the old consumer key you can start reseting users authentication so they have to login again. Eventually you’ll have to just disable the old key and users won’t be able to do anything until they reauthorize.