So it turned out that there's a specific kind of custom roles I don't see after having created them: Actually, I wanted to define a custom role with an assignable scope limited to only one virtual machine instance in a specific resource group. I have still no idea while I can't see these (and only these) but there is a workaround which may be the preferred way by Azure, no idea.
It's:
- Go to the virtual machine you want to grant access to
- There is an Access Control (IAM) panel, too
- Add an Owner role to somebody you want access to that particular virtual machine only
The person will be able to start/stop this specific virtual machine. Done.