A few things:
You cannot use multiple connections to the same database for security.
Now, read the above again nice and slow!!!
So, if you using windows authentication for logons, then you don't really have different connections, and it does not matter, does it? (either you can use the SQL server, or you can't). When using windows auth, then member ship in roles etc. is managed by windows, and not by sql server.
If you using SQL server logons, then you can't use DIFFERENT logons with different connections from the ONE access application. I stated this in the first sentence here, and I mean what I say, and I said what I meant.
The reason for above is that Access will cache ANY valid connection to the database. That means if you opened a form, used code, used a pass-though query, it DOES NOT matter, but ONLY that some place, some how, some where you obtained a valid connection to sql server. The VERY instant you do this, then that user/password + valid connection is now cached by access.
And once the above occurs, if you THEN say use a table that linked using a read only connection's and logon? Well, since at SOME point in time you connected with a valid read/write logon, then that will be used!!!
Worse, is you really cant control WHICH cached logon will be used!!
What the above means is that multiple connections with different rights MUST BE REMOVED from your design assumptions here.
To be fair, this caching of valid connections is one of the best features of ODBC connections in Access, since this means you can link all of your tables WITHOUT including the user id + password. This means no user id and password exists in the linked tables, and thus someone opening up the application (or even attempting to import the linked tables to another application) will find that those links do NOT work (until such time you execute a valid SQL logon from Access).
While this is a "huge" increase in security when using linked tables, the downside of this knowledge is that you thus can't have multiple connection to the same database with different rights, and you can't do this, since you have NO control over which connection will be used by Access.
As for using roles from SQL server? I suppose if this is a compiled Access application (accDE),then a function to test/check for membership in a sql server role could be adopted, and thus forms could be prevented from being open by users without membership in such roles.
As for how the cached user + password system works, and how you can use this greatly to your advantage is explained here:
https://www.microsoft.com/en-us/microsoft-365/blog/2011/04/08/power-tip-improve-the-security-of-database-connections/#:~:text=Power%20Tip%3A%20Improve%20the%20security%20of%20database%20connections,one%20more%20hole%20...%207%20Extra%20reading%20