How much privilege to give on Azure to use auto-unseal using Azure Key Vault

In this guide, the application is given the Owner role with the scope of the whole subscription, but is that even necessary? Personally I think that’s too much and the amount of privilege should be limited. Is it possible to limit the scope of that application, to just relevant resources, or is there any special consideration about that subscription (like a whole subscription just for that one purpose)?