Check out my response in this thread: https://community.canvaslms.com/thread/35637-lti-13-integration-testing-error
You're probably not specifying the role correctly. The IMS documentation lists the various roles (they're defined in a URI syntax, but you can also use a short version of just the last part although I don't cause it's not clear if that's official or not) and you have to declare them when you send over your JWT. The handshake will not TELL you what permissions you can request, you must already know what you've been granted.
You can find out what roles are available to you by looking at the Developer Key settings in Canvas and seeing which permissions are enabled (read only grades, see enrollments, etc). These map on a 1:1 basis with the roles you request along with sending your JWT (although the Canvas develoer key permissions page doesn't reference the role URIs by name which makes it harder than it should be).
Hope that helps!
