Can you try adding the roles/iam.serviceAccountUser to the service account (Referring to the service account that you have downloaded the key json file for) used by the build server and see if that works.
or you can use the following gcloud command:
gcloud iam service-accounts add-iam-policy-binding \
$PROXY_SERVICE_ACCOUNT \
--member="serviceAccount:$CICD_SERVICE_ACCOUNT" \
--role="roles/iam.serviceAccountUser"
where $PROXY_SERVICE_ACCOUNT is the (pseudo email) of the service account you specify when deploying the proxy as optional field