Can you exclude that service account from the those policies if they are enabled?
As far as I know, its not supported to add that role outside of the AADConnect Wizard:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#azure-ad-connector-account
However, you may be able to add it via powershell:
https://github.com/MicrosoftDocs/azure-docs/issues/53899