@Markus Tacker I understand that you have a Service Principal (SP) with Contributor access to a Resource Group. The error you are getting Principal is not authorized for POST on /devices/query due to no assigned permissions can be resolved by assigning the correct level of Azure RBAC permission to the user. For example, an Owner on the IoT Hub can assign the "IoT Hub Data Owner" role, which gives all permissions. Try this role to resolve the lack of permission issue.
I would suggest you, first check which levels of access is enabled for Azure IoT Hub under Access Control (IAM) -> view my access
To give more context, When an Azure AD security principal requests to access an IoT Hub service API, the principal's identity is first authenticated. This step require the request to contain an OAuth 2.0 access token at runtime. The resource name for requesting the token is https://iothubs.azure.net. If the application runs inside an Azure resource like Azure VM, Azure Function app, or an App Service app, it can be represented as a managed identity.
Once Azure AD principal has been authenticated, the second step is authorization. In this step, IoT Hub checks with Azure AD's role assignment service to see what permissions the principal has. If the principal's permissions match the requested resource or API, IoT Hub authorizes the request. So, this step requires one or more Azure roles to be assigned to the security principal. IoT Hub provides some built-in roles that have common groups of permissions.
IoT Hub provides the following Azure built-in roles for authorizing access to IoT Hub service API using Azure AD and RBAC:
Please see Control access to IoT Hub for more details. Do let us know if that helps or have further queries. We would be happy to help you.