Instead or checking for vNet scope for Network contributor role, support subnet level scope to allow fine grained permission for cluster install.

Microsoft.Network/virtualNetworks/subnets/*

Risk with vNet level permission is when multiple cluster operator share the same vNet, all of them needed to be a contributor and have higher privileges then what is necessary.