Log in to the GCP Console using administrative privileges.
From the selector on the top, select organization. (You must be on the root organisation level.)
Select IAM & Admin -> IAM from the navigation menu.
Go to View By Roles and click Grant Access.
Provide the newly created service account email in the New principals text box.
In the Assign Roles, select the custom role.
Click Save.
From GCP CLI run the below command:
gcloud iam service-accounts add-iam-policy-binding <SERVICE_ACCOUNT_EMAIL> --role="roles/iam.serviceAccountTokenCreator" --member="principalSet://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<WORKLOAD_IDENTITY_POOL_ID>/*"