Okay that added context changes how you are going to have to do this. Adding the roles to the access token is not going to provide a solution for this case.
I ended up looking into this pretty heavily because I thought there would be a fairly strait forward way to accomplish the goal. I ended up having to get the users from get roles' users and then doing a search for their ids and the connection. I don’t think this would scale so probably not recommended.
The best option I can think of for this specific case would be to add the role as metadata. This way you can use getUsers search to access it. Depending on how you assign roles this could be done automatically for new users via a Rule.
Let me know if you need further detail.
Thanks,
Dan