I see, interesting way of handling this. However, it has some limitations, for instance when I think of projects where ressources for one environment are split in multiple ressource groups, I don't want one SP by RG. And I don't want all my projects for different clients to be in the same global stack.
I ended up giving the permission that was missing ("Azure Active Directory : Application.ReadWrite.") to my SP and letting him the Contributor role on my subscription. It seemed to be the easiest for me if I want it to be able to create and populate my RG.