Application objects support custom Azure AD roles, so you can create a new role with just the required permissions, and optionally assign it to just the app(s) in questions. Start by going to the Azure AD blade > Roles and administrators > hit the New custom role button and follow the steps therein to assign the desired permissions. Once the role has been created, you need to assign it, which can be a scoped assignment to just specific app(s). To do this, select the newly created role, hit the Add assignments button, and select Application under Scope type. Next, hit the link under Selected scope and point to the app(s) you want to include in the scope. Lastly, assign the user.
For more details, refer to this article: https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-apps
It's for a slightly different use case, but the basics remain the same - just replace the corresponding permissions as needed.