There would be no need to give them anything beyond permissions in the "Recipient Management" Role group or create a custom role group.
You could add them to that role group ( Or the may already be in it)
Both new-remotemailbox and enable-remotemailbox are part of recipient management.
There would be no requirement for them to have access to the AADConnect sync or access through the firewall
The remote mailbox commands run on-prem, provisions the mailbox in Office 365 when the AADConnect sync happens automatically every 30 minutes,.
Ensure your process also licenses the mailbox created in Exchange Online for Exchange... :)