a modern approach, give the user's authorization data encrypted in the form of a token, the decryption key is stored in memory, and nothing is looked up in the database and is not compared with anything, when requested, the token data is decrypted, and it is decided to give access or not based on its token (in the token says what permissions the user has), which allows you to remove the load from the database and unlimitedly scale the functionality across servers, since each server has the same key for decryption, in the case of checking data in a single database, scaling will rest on the performance of this database.

The hash is correct. You can also put this hash in the cookie so that the authorization is saved when the session is closed. And consistently check when opening the site, first the session variable, then the cookie. If there is no hash in the cookie, then the user is definitely out))
And with forced deauthorization, you can do this. Whether you in an index file check the user is authorized or not. Each time you visit the site, you compare the hash in the browser with the hash of the database. If different then - ask to log in again.

I would return 401 errors for a crooked/deleted/missing token.
You can also write not one token, but several (so that you can log in from different browsers / devices).
When loading an application, I would advise you to send a request to get the current user by token. If 401 is returned, then the user is not authorized. If at the same time the token remains on the client (for example, localStorage), then it must be deleted.
In general, the standard approach.
I would still send authorization not through MYPRIVATEHEADER, but as "Authorization: Bearer 2398mv59023m5v32".