Figured it out!

First, for each VM you want to grant access to, add the user/group with the assigned role you want to grant them. The additional step required for access from Workstation is, for each Host the VMs you granted access to are on, you must also add the user/group and assign the Read-only role making sure to uncheck Propagate to child objects.

So this is similar to the thread referenced earlier, but saves from having to explicitly revoke access to every other VM on the host. So now, when I connect as the user I was testing with, I can connect to vCenter via Workstation, only see the VMs Ive applied the custom roles to and, most importantly, can connect to them without issue!

It also seems as though even though Workstation prompts to assign the necessary Read-only permission to the host it actually doesn't do a thing.

Thanks a bunch for all the help everyone.... especially ShadyMalatawey. If I wouldn't have seen that prompt in Workstation to apply the permission it would have taken a lot longer to figure out.