The network block in your wpa_supplicant.conf file must contain
scan_ssid=1
to connect to a hidden network. This is in addition to manually entering the SSID and encryption type and key into that file.
When the SSID is hidden, the beacon packets from the router do not have a SSID. scan_ssid makes the card send out a probe packet (Is anyone here 'My Secret Network") to make your router reveal itself as the one having that SSID. Anyone monitoring with a raw packet monitor will see that exchange and your SSID is not secret any more.
Pre-hashing the key with wpa_passphrase is recommended but not required. The hashing process is designed to use a lot of CPU time to make a dictionary attack more difficult. On a Pi it takes about a second to do the hash, this will be required each time you boot up if the key is stored as a passphrase text instead of pre-hashed.
If you have an old router that you can set up for a test, first set it with a non-hidden SSID and confirm that your Pi can at least connect to it. Then change to hidden SSID and see if that still works. The test router does not need to be connected to the Internet, so there is no security risk. Edit: If you do this you may need to do it at home. Some of the more sophisticated work networks detect unauthorized wifi signals and jam them.