users with a non-base role obviously cannot register themselves, and other users who have such a right must create them.
the auth/register call is available to everyone, a user with a normal role is created, the auth/register-admin call already has access rights, and only those who have the right can call this endpoint (and it’s more correct to call it not register-*, but create-*), it creates a user with the appropriate role instead of the base one.
there are essentially two options - either the user registers himself with a basic role, and then those who have the right to "raise" him, or those who have such a right create him in advance immediately with the necessary roles.

I'm also working with RBAC now, but only in Symfony
. It all boils down to the fact that in certain methods a certain function is called that checks for the presence of an attribute allowing access.
Only Symfony has something called voting. (Voters)
Here's an example:

<?php


namespace App\Security\Administrator\Voter;


use App\Entity\User;
use App\Entity\UserGroup;
use Exception;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;

/**
 * Class UserVoter
 * @package App\Security\Administrator\Voters
 */
class UserVoter extends Voter implements IVoter
{

    public const CREATE_USERS = 'create_users';
    public const EDIT_USERS = 'edit_users';
    public const DELETE_USERS = 'delete_users';
    public const VIEW_USERS = 'view_users';
    public const VIEW_CONTACTS = 'view_contacts';
    public const SET_PRIVILEGES_USERS = 'set_privileges_users';


    /**
     * @param string $attribute
     * @param mixed $subject
     * @return bool
     */
    protected function supports($attribute, $subject)
    {
        if (!in_array($attribute, $this->getAttributes())) {
            return false;
        }

        return true;
    }


    /**
     * @param string $attribute
     * @param mixed $subject
     * @param TokenInterface $token
     * @return bool
     */
    protected function voteOnAttribute($attribute, $subject, TokenInterface $token)
    {
        $user = $token->getUser();

        if (!$user instanceof User) {
            return false;
        }

        $permissions = [];
        try {
            if (is_a($user->getGroup(), UserGroup::class)) {
                $permissions = $user->getGroup()->getPermissions();
            }

            foreach ($permissions as $permission) {
                if (in_array($permission, $this->getAttributes())) {
                    return true;
                }
            }

            return false;
        }catch (Exception $exception) {
            return false;
        }
    }


    /**
     * @return string[]
     */
    public function getAttributes()
    {
        return [
            self::CREATE_USERS,
            self::EDIT_USERS,
            self::DELETE_USERS,
            self::VIEW_USERS,
            self::VIEW_CONTACTS,
            self::SET_PRIVILEGES_USERS
        ];
    }
}

In the controller

...
$this->denyAccessUnlessGranted(UserVoter::CREATE_USERS, null, "Вам запрещено создавать пользователей.");
...

Each user must have the same attributes allowing access, if the user does not have attributes, then there is no access.
The base attribute is, for example, a string in the "user" database.
Each user is guaranteed to have a base attribute, otherwise there will be no access.
This is not an answer, I am sharing my experience.