In general your approach is suitable although the security aspects of it would always be dependent of the full implementation. For example, would a client application be able to get tricked into simulating that the request is from another application/domain and as such receive roles not meant to itself.
I would advise you also, if you haven’t done so already, to take a look at the authorization extension documentation as I see some overlap between what it offers and what you’re trying to achieve. In particular, when you create a role in the extension it already asks you to which application this role is associated to so you may get a quicker implementation of you requirements by leveraging the extension.