Azure Oilicy can't deploy the app, becase managed identity cannot have microsoft.compute/galleries/applications/versions/read permissions, you should "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44" to roleDeffinitionIds
The client '595cdef6-a86b-445c-85b5-adc512495947' with object id '595cdef6-a86b-445c-85b5-adc512495947' has permission to perform action 'Microsoft.Compute/virtualMachines/VMapplications/write' on scope '/subscriptions/aae79fd4-fcaf-406d-a887-66123ff5ab02/resourcegroups/test_vm_inventory/providers/Microsoft.Compute/virtualMachines/VM/VMapplications/vscode'; however, it does not have permission to perform action(s) 'microsoft.compute/galleries/applications/versions/read' on the linked scope(s) '/subscriptions/aae79fd4-fcaf-406d-a887-66123ff5ab02/resourcegroups/test_vm_inventory/providers/microsoft.compute/galleries/azurecomputegallery/applications/vscode/versions/1.0.1' (respectively) or the linked scope(s) are invalid. (Code: LinkedAuthorizationFailed)
Azure Oilicy can't deploy the app, becase managed identity cannot have microsoft.compute/galleries/applications/versions/read permissions, you should "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44" to roleDeffinitionIds