Thanks @tall-librarian-49374, I have found that I can do this using the Microsoft Graph API. It seems to work best if I first use Pulumi to add the rights and then the API to grant consent for them.
In theory the API can do both steps i.e. add the permissions and provide consent but when I do that they seem to appear in the "Other Permissions" section rather than the "Configured Permissions" section. If I assign the permission with Pulumi and then use the API to grant consent they appear in the preferred "Configured Permissions" section.
My issue is that I can't call the API until Pulumi has created the App Registration, its associated Service Principal and assigned the required permissions. I then need to use the Object ID of the Service Principal when calling the API. Is there a way I can call normal .Net code (i.e to call the API) once the required object has been created (so I know I have a valid object ID to pass to it)?