AMA Powershell setup script errors

Question

For sentinel, I've set up the AMA firewall data connector in Azure and setup the DCR. I've installed the agent on my endpoint. I've read the guidance on Set Up the Azure Monitor Agent on Windows Client Devices - Azure Monitor | Microsoft Learn - although I'm not sure I understand the monitored object part, but I'm assuming the Data connector has resolved that. So, I believe I just need to run the Powershell script on the Microsoft page.

I open powershell as a local admin. When the script executes and asks me to log in I use an account which is the Azure Owner, I pick my subscription but then the script errors.

New-AzRoleAssignment : Operation returned an invalid status code 'Conflict' - line 16 char:1

Further down, I get

Invoke-RestMethod : {"error":{"code":"InvalidAuthenticationToken","message":"The 'EvolvedSecurityTokenService' access token is invalid."}} - line :41 char:1

For line 16 I assume the conflict is because the user is an owner and already has the role. However, if I comment that line out I still have the 'access token is invalid' error.

No-one else seems to have these issues and it was suggested to me this could be a permissions issue on the subscription or resource-group but the user is the owner. Can anyone suggest what could be the issue or what steps I've missed