Welcome to Microsoft Q&A Platform, thanks for posting your query here.
AKS with CNI requires the user to have "Owner" or "Network Contributor" role on the Azure Virtual Network (vnet) resource. This is because when CNI is used, it creates an Azure Virtual Network (vnet) and a subnet in your Azure subscription to manage networking resources for AKS pods.
As you mentioned, you already have "Contributor" access to the entire subscription, but it might not be enough for creating virtual networks and subnets. You need to have "Owner" or "Network Contributor" for the duration of the AKS cluster creation, so you can successfully create the necessary resources.
If you don't want to be assigned the "Owner" role, you can create a custom role with the necessary permissions for AKS with CNI. This custom role should have the required permissions to create and manage network resources within the vnet and subnet.
If you are unable to get the required permissions for creating vnets and subnets, you can pre-create the Azure Virtual Network and subnet manually. In this case, you should create the vnet and subnet with the desired configuration (address space and subnet range) before deploying AKS. During AKS cluster creation, you can specify the existing vnet and subnet.
Hope this helps.