From APIM 3.0 onwards, the permission-based access control model is replaced with a role-based + permission-based model. So, by default, your users need to have the Internal/subscriber role to access the developer portal.
This is how it works. To access the developer portal, users should be able to get access tokens which have apim:api_subscribe scope. For that users need to have the Internal/subscriber role. This mapping is configured in /_system/config/apimgt/applicationdata/tenant-conf.json file in the registry. So, in your case you have to add your new role to this file.
From APIM 3.1 onwards, there will be a UI to configure this, which will make it easier than what we have now.
From docs[1].
In WSO2 API Manager 3.0.0, Developer Portal and Publisher Web Application UIs are populated by API-M REST APIs and all the authentication and authorization to access the different components in the UI solely depend on the scope role mapping defined in /_system/config/apimgt/applicationdata/tenant-conf.json that can be accessed through the Management Console from Resources > Browse.
By default, the scope-role mapping contains Internal/creator, Internal/publisher, Internal/subscriber as the default roles. If there are custom roles defined with API creator, API publisher, admin and API subscriber permissions, those roles have to be configured in tenant-conf.json under relevant scopes.
Worked like a charm, ty! I missed this information in the documentation and thanks for posting that link and a snippet from that post, got me my answer in seconds!