Azure RBAC: Error renewing website certificate (Let's Encrypt)

This Q&A is related to another Q&A, linked here. The helpful answer there by Sridevi got me past the first set of gates.

I feel I'm very close to getting a certificate renewal, but now I'm running into this problem:

LinkedAuthorizationFailed: The client has permission to perform action 'Microsoft.Web/certificates/write' on scope '/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Web/certificates/[redacted]'; however, it does not have permission to perform action 'write' on the linked scope(s) '/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Web/serverfarms/basic

I've added my registered application to the WebSite Contributor Role at the Resource Group level, as described here, but it's still failing with the error message above.

I assume by /subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Web/serverfarms/basic that Azure means the App Service Plan (which in my case is Basic), but I've verified that my Service Plan is in the same Resource Group and therefore has also authorized the application.

What is meant by that providers/Microsoft.Web/serverfarms/basic error log entry, and how do I grant my application access to perform a 'write' action on it? What is meant by 'linked scope?'

As mentioned in this MS Doc, Website Contributor manages only websites not web plans.

The providers/Microsoft.Web/serverfarms/* permission is related to Web plans that won't work with Website Contributor role.

There is one built-in RBAC role named Web Plan Contributor having Microsoft.Web/serverFarms/* permission that manages web plans.

To resolve the error, you need to grant Web Plan Contributor role also to the registered application under your Resource group like below:

In your case, make sure to grant Web Plan Contributor role to the registered application under the resource group scope where your App service exists.

Reference: Web Plan Contributor role - Azure RBAC | Microsoft