definitely validate the access of the token on the server side, and let the server API decide to provide information or not. If token valid, let it succeed, if not valid, return 401 errror on the api.
make react router dumb. on the page where the information suppose to be protected, call your backend API to loaded the information on "componentDidLoad" or something, if succeeded, display the information, if get 401 error, you can use react reouter middleware or something to kick people autoatically out to another page that says login required.
Although you can keep some state on the client side, like "if user logged in, i.e user have a token or not", if user don't have a token, you can use react router to automatically direct user to a login page to obtain a token.
But all VALIDATION must be done on the server side api.