Hi,
The level of where the custom role is created does not mean the custom role gives permissions at that level. In fact, just creating custom role does not give any permissions. After you have created the custom role, you will have to do role assignment. For one custom role you can do multiple role assignments as long as the scope of the role assignment is different or the Azure AD principal (user, MI, SP, group). Let's say you create the custom role for Subscription A. This means you can use that custom role for role assignments only on that level. If you want to use at Subscription B you will not be able to. You will need either to create the same role in Subscription B or create role at management group where both subscriptions are located. Moving back to the role assignments. You can do role assignment for the custom role at subscription level, that way the permissions will be given for the Azure AD principal to all resources (that are part of the custom role definition) under the subscription. You can do role assignment for the custom role at specific resource group, that way the permissions will be given for the Azure AD principal to all resources (that are part of the custom role definition) within the resource group. You can even do role assignment for the custom role to specific resource, that way the permissions will be given for the Azure AD principal only to that resource.
Remember that there are certain limits of using custom roles at management group level and certain limits on the number of the role assignments possible.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.