To make a long story short: When configuring user rights policies in Intune with a device configuration (custom profile), you'll find that the sample provided in the docs won't fully work. It does the correct configuration on the clients, but it will show you a remediation error in the Intune portal, which is not very nice.
Credits: Big thanks to Mark Thomas, who helped me solving this one.
Note: There are upcoming changes to Intune announced that should simplify these configurations. Hopefully very soon.
Background
Due to a bug in with the encoding of the delimiter used when following the CDATA syntax, the evaluation fails with an remediation failed error. The bug is due to the fact that the XML parser which handles the  delimiter only works for ADMX backed policies.
Looking something like this:
Workaround
To workaround the issue until the bug is fixed, skip using the CDATA syntax for now. So instead of using this documented syntax to grant Administrators and Users permissions to for example the Allow local LogOn user right:
<![CDATA[*S-1-5-32-544*S-1-5-32-545]]>
Use this syntax instead:
*S-1-5-32-544*S-1-5-32-545
Please note the delimiter. To make sure you get the right character, go to https://coderstoolbox.net/string/#!encoding=xml&action=decode&charset=us_ascii and enter the below text in the input box and press enter.
I found it… 🙂
<Data></Data>
How is the format if you want to remove all assignments from a specific user right?
Using just <![CDATA[]]> works, but gives an error in Intune reports. According to your post, the CDATA should be left out, but then there is nothing left and a custom OMA URI does not accept an empty string value.