When we create a managed identity, it creates a service principal to be used to assign roles to that managed identity behind the scenes
Azure AD creates an AD identity when you configure an Azure resource to use a system-assigned managed identity. The configuration process is described in more detail, below. Azure AD then creates a service principal to represent the resource for role-based access control (RBAC) and access control (IAM). The lifecycle of a system-assigned identity is tied to the resource it is enabled for: it is created when the resource is created and it is automatically removed when the resource is deleted.
To call this API, you must have access to the Microsoft.Authorization/roleAssignments/write operation. Of the built-in roles, only Owner and User Access Administrator are granted access to this operation
It means, the service principal created (in my case I had an existing one used to create the role - the client afd5bd09-c294-4597-9c90-e1ee293e5f3a shown in the error message - ), must have an Owner or User Administrator role. In my case my service principal did not have it.
So it was a matter to have acces to Microsoft.Authorization/roleAssignments/write operation. All that I did was to go to my subscription I am owner of, and assign the User Access Administrator role to the Service principal that terraform workflow was referencing and it works.