Applications Roles and RBAC

For a application solution on Istio like accounting there are roles like accountant with permissions like create account, update account etc.
And there is a Kubernetes service Account with corresponding operations. So for authorization I need to understand better if RBAC plays a role in this or not. Should I create a kubernetes accountant role? Assuming that I instead define the role in an external identity provider how exactly does Istio extract the role from the JWT Token? Are there both Authorization tokens and an Authentication token or just one type of token? With the Istio policies I have examined so far I dont see how role based authorization is performed in terms of JWT Tokens. I just see that the token can be confirmed by url to the JWT provider. What about roles and permissions in all this. Someone explain?