In your scenario, your role need “read” capability and all the capabilities under “Projects” except publish. Now with “edit_projects” capability user will be able to create new Projects, but they won’t be able to publish. They can submit it for review.
Now to give only access to Project X, you will have to use Extended Permissions. Using Bulk Edit remove Read/Edit/Delete permission on all Projects for the role. Then edit Project X enable Read/Edit/Delete for the role.
That configuration should achieve what you are looking for.
Now to give same permission on Project Y, edit extended permission of Project Y. But if you want to give same permission on a different project for different set of users, then you will have to create a new role and repeat the process.