This message was deleted.

Looks like I found the problem. Maybe it could be useful for someone. Nowhere it is mentioned that for <name> should be provided UserGroup Object Id, rather than just literally "name" of the group So correct format for roleRef: name is

"azuread_group://<object id value>"