I discovered what was happening. Because I already had the password hash, the only way (I know of) of updating the hash directly is by doing an update on the users table – which is what I was doing.
The problem was WP caches the users, so the next time you try and read the value (of the hash in this case to authenticate the user), the user was cached, but the cache has not been updated with the new hash, so the validation was happening on the old hash. After the page refresh, it was all OK.
So after the hash update, I am now clearing the cache which has sorted it out.
global $wpdb;
$wpdb->update($wpdb->users, ["user_pass" => $oldUser->hash],['ID' => $usr->ID]);
/* new line below */
wp_cache_delete($usr->ID, "users");