Service principal can deploy using PowerShell commands, but with ARM I get permission error on linked scopes. Why?

Question

I created a PowerShell script for deploying an Azure databaseserver and database. I created a service principal with contribute role on the resource group.

Then, using the PowerShell commands I am able to create the databaseserver and the database.

    $Build = '389'

    ##$SubscriptionId = ''
    $resourceGroupName = "rg-hoolahoop"
    $location = "westeurope"
    # Set an admin login and password for your server
    $adminSqlLogin = "SqlAdmin"
    $password = "ThisIsTheMostUglyPassWordEverToBeCreatedWhileDoing@23456789!"

    # Set server name - the logical server name has to be unique in the system
    $serverName = "thebest-hoolahoop-dev"
    # The sample database name
    $databaseName = "hoolahoop-$($build)" 
    # The ip address range that you want to allow to access your server
    $startIp = "0.0.0.0"
    $endIp = "0.0.0.0"

    # Create a server with a system wide unique server name
    $server = New-AzSqlServer `
        -ResourceGroupName $resourceGroupName `
        -ServerName $serverName `
        -Location $location `
        -SqlAdministratorCredentials $(New-Object -TypeName System.Management.Automation.PSCredential `
        -ArgumentList $adminSqlLogin, $(ConvertTo-SecureString -String $password -AsPlainText -Force))

    # Create a server firewall rule that allows access from the specified IP range
    $serverFirewallRule = New-AzSqlServerFirewallRule `
        -ResourceGroupName $resourceGroupName `
        -ServerName $serverName `
        -FirewallRuleName "AllowedIPs" -StartIpAddress $startIp -EndIpAddress $endIp

    # Create a blank database with an S0 performance level
    $database = New-AzSqlDatabase  `
        -ResourceGroupName $resourceGroupName `
        -ServerName $serverName `
        -DatabaseName $databaseName `
        -RequestedServiceObjectiveName "S1" `
        -CatalogCollation "Latin1_General_CI_AS"

When I try the same deployment, but with an ARM template. I get the following error:

{
"status": "Failed",
"error": {
"code": "LinkedAuthorizationFailed",
"message": "The client 'xxxx' with object id 'xxxx'
has permission to perform action 'Microsoft.Sql/servers/databases/write' on scope
'/subscriptions/xxxx/resourcegroups/rg-hoolahoop/providers/Microsoft.Sql/servers/thebest-hoolahoop-dev/databases/hoolahoop-389'; however,
it does not have permission to perform action 'read' on the linked scope(s) '/subscriptions/xxxxx/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/SQL_Default'
or the linked scope(s) are invalid."
}
}

UPDATE1

Even when I give the service principal the role of owner on the subscription scope, the error persists.

UPDATE2

The ARM template from the PowerShell deployment had this line

"maintenanceConfigurationId": "/subscriptions/f9f7bb68-17f6-4089-95a7-a5d7063e70b9/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/SQL_Default"

in the properties definition of the database. This line caused the permission error. Still weird that it can deploy this from the same login using PowerShell commands and not when using an ARM template.