I don’t know if there is a redefined role for this, but these link would lead you to define one for your needs:
1- Create a new role to manage current operations
2- changeStreams/#access-control (collectin/database/deployment levels)
@Abi_Scholz you are trying to open a change stream on a collection, so you should set this on collection or database level.
@Hannes_Calitz your goal is not just to open a change stream. so in addition to enabling this role for your user, you may need an extra privilege to change cluster settings. I still haven’t tried it myself, so excuse me for not giving the full steps.