Hi @EnterpriseArchitect ,
As you mentioned, you need at least a network contributor role to manage VNETs and NSGs. For firewalls depending on what you need to do you may need something more privileged like a Security Administrator or a Global Admin, since part of the features in Azure Firewall involve setting up or denying access for particular users.
You could look into custom roles but depending on what you need to do for user access controls you may end up needing higher privilege. For most of the things you mentioned Network Contributor will be enough, though.