I finally found out what I was doing wrong:
It seems that to get RolePermissions you need a higher level of access than you can request from oAuth, you need to put those permissions onto the AppPrinciple you are using. From the admin site:
Find your app then enter the following XML code into the box ‘Permission Request XML’ and click create – then authorise the app.
<AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Read" /> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" /> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" /></AppPermissionRequests>