Token theft detection has nothing to do with JWT signing key.
Token theft detection is already enabled.
> each subsequent request that requires SuperTokens middleware validation, a database call is to be made?
No. Token theft detection happens when refreshing a session. Not validating a session.