You are correct, right now there is no way to get a group name in a JWT in a straightforward manner. This is an open issue: https://github.com/FusionAuth/fusionauth-issues/issues/229 but this will most likely be resolved when https://github.com/FusionAuth/fusionauth-issues/issues/267 gets delivered (no firm timeline on that, sorry).
Options:
you could put the group name in the user.data field and put it into the JWT using a JWT populate lamba. If you are moving users in and out of groups regularly, this could be scripted, but may be a bit of a maintenance issue. assign users to a group in FusionAuth. Assign that group a role with the same name. Then you'll have access to the role in the populate JWT lambda. This seems the most straightforward to me. Note that a user only gets a role assigned to a group in FusionAuth if the user is registered for the application and is a member of a group with a role for that application.