I configured my IdSvr client to return reference tokens to make them revocable. I'm also using the IdentityServer.EntityFramework library to store the generated reference tokens in the Tokens table. The Token Revocation endpoint requires the token to revoke. As an administrator I want to call revocation but I don't know the access token as the key is stored hashed in the database. How would the administrator locate the tokens to revoke for a user?

You can revoke by subject and client id.