Announcing Public Preview of Role Based Access Control for Applications in Exchange Online

BitHawkFriedli the permission granted using RBAC in Exchange acts independently of the permissions granted directly in the AAD portal. To ensure you're using the last privileged approach (RBAC roles with scopes) you need to grant the role assignment in Exchange and remove the un-scoped permission assigned in Azure AD. App Access Policies continue to offer a method of scoping the permissions assigned in AAD, though we will be deprecating that feature in the long run. 

I hope this clarification will be less necessary in the future since both tenant-wide app permissions and scoped permissions granted using RBAC will show side by side within the upcoming management experience described above under "Unified Management Experience."

With this sort of visual layout it might be clearer that these permission grants in RBAC are additive to those in AAD. In this case you would see the redundant permission grants implied by a RBAC assignment and AAD permission.