This is a problem with PAM instead of the roles
First, /var/log/messages has the following entry, which indicates that the account is being rejected by PAM
sfcb-CIMXML-Processor: pam_access(sfcb:auth): access denied for user `wbem' from `sfcb'
Furthermore, I can grant the WBEM role definition with access to every object in the role editor, and will still get username password failure. But when I assign the wbem account to the Administrators role it works fine. This tells me that the accounts are being authenticated differently based on their role assignment, not on the privileges defined in the role. This is odd because there is the "CIM Interaction" role privilege which should be the governor for this.
edit for fix:
/etc/pam.d/sfcb calls /etc/pam.d/system-auth definition for everything, which in turn calls the pam_access module. That module checks the /etc/security/access.conf file to govern who has access to resources. Once I added the wbem user account to that file, I was able to successfully authenticate and perform the wbem queries. Nice thing is that the pam_access module recognizes services as origins, so "+:wbem:sfcb" allows authentication for sfcb but not for (EG) sshd or login
I expected this file to be edited according to the role privileges
edit 2: file is overwritten on reboot, the role priv needs to be incorporated into the auto-generated file
There is another way to fix this without having to modify the /etc/security/access.conf file on every reboot. Instead, assign the wbem user account to the "root" user group, and also give it the "no access" role. With the user in the root group then pam will allow WBEM queries to pass through to the CIM server using the default access.conf rules, but the "no access" role assignment not prevent the account from being able to login to the vsphere client, the service console, SSH, etc.
1) create a local wbem user, and assign to the "root" user group (Inventory->Users/Groups)
3) assign the wbem user to "no access" role (Inventory->Permissions)