How to apply roleAssignment write permissions to an application registration

Hey,

i have an application registration to grant a terraform pipeline access to azure. The application registration has the contributor role on subscription scope. But Terraform now needs to be able to asign roles inside a resource group that was created by the terraform pipeline. Since I also dont have more than the contributor role i cant just try out what works for this case. I requested to get the Role Based Access Controll Administrator as Role added for the app registration on subscription scope since it seems that this role has the "Authorization/roleAssignments/write" Action in its permissions. But i still get the following error:

Failed to add {securityPrincipal} as {role} for {scope} : The client '{clientName}' with object id '{objectId}' does not have authorization or an ABAC condition not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/{subscriptionId}/Microsoft.Authorization/roleAssignments/{roleAssignmentId}' or the scope is invalid. If access was recently granted, please refresh your credentials.

Do I have to configure a role assignment condition for the Role Based Access Controll Administrator in order to be able to use the role assignments write action and do I have to use tags to make it work?

Would it be possible to just create a custom role for the application registration with the "Authorization/roleAssignments/write" permission and use this for the app registration so I can ignore the role assignment conditions?

Is there maybe any other way / best practise to magage the permissions of the application registration so it can be avoided that terraform ends up with a role that has not needed permissions?

I am pretty new to the Azure Cloud so I dont even know if I am on the right tracks.
It would be really helpfull if someone can point me in the right direction.
Thanks :)