Applications Roles and RBAC

For a application solution on Istio like accounting there are roles like accountant with permissions like create account, update account etc.
And there is a Kubernetes service Account with corresponding operations. So for authorization I need to understand better if RBAC plays a role in this or not. Should I create a kubernetes accountant role? Assuming that I instead define the role in an external identity provider how exactly does Istio extract the role from the JWT Token? Are there both Authorization tokens and an Authentication token or just one type of token? With the Istio policies I have examined so far I dont see how role based authorization is performed in terms of JWT Tokens. I just see that the token can be confirmed by url to the JWT provider. What about roles and permissions in all this. Someone explain?

You can create a JWT authentication policy that verify and extract the claims from the JWT token and then use Istio authorization policy to enforce access control based on the JWT claims.

Do you mean who can create/modify the Istio authentication and authorization policy? That should be protected by k8s RBAC policy.