Hi,
AFAIK, the need for ‘Create’ on ‘Template’ is added here [1]. I would say that as soon as you attempt to modify the template before instantiation (by providing a template fragment or by using various CLI options such as --cpu, --memory, etc.), you automatically need ‘Create’ permissions. That makes sense, since you are technically instantiating a different template, even though it is based on an existing template.
If you are using Sunstone, it is possible that these additional options are always present (from the wizard) and hence you would always need ‘Create’ permission on ‘Template’ to instantiate it … but that is just my guess 
Have you tried running
onetemplate instantiate $TEMPLATE_ID
without any additional arguments?
[1] https://github.com/OpenNebula/one/blob/one-5.2/src/rm/RequestManagerVMTemplate.cc#L196