Azure Subscription vs. Resource Group Roles & Permissions Clarification
To read or create resources in a resource group, you do not need subscription-wide permissions; they can also be applied just at resource group level.
The role that takes precedence is the highest role, regardless of wide/narrow scope.
If you are contributor on the group or the subscription, you can create the resources in the group. If you are reader in the group, and contributor in the subscription, you can also create the resources.
The subscription is a wider scope and applies to all resource groups within, but reader on the group does not apply to anything else in the subscription.