that's the way it works.
Locally on an ESXi host if you add some roles, and using those roles you start assigning permissions. This is when you use let's say some locally created user accounts or AD user/group accounts. Those are limited to ESXi host only. when you use vSphere Client/SSH Client and login directly into this host, that's when they are applicable, but when it comes to managing same host using vCenter server, your locally assigned permissions are not applicable.
vCenter server has it's own Role based Access and Authentication mechanism where you might add same AD as an identity source and start assigning permissions on your vCenter inventory objects using those user accounts and roles created in vCenter, they are applicable in vSphere Web Client or vSphere Client connected to that VC.