Thanks for your comments - I found them helpful.
If we use the fields as tokens, how can we be sure that if a user's role in SFDC changes, that the change would also occur in Marketo?
Is this something that the SFDC workflow would have to handle? Also, would the SFDC workflow have to be an Apex trigger?
Yes and yes, the workflow would take care of that. I think a workflow should be easiest, but you may need an Apex trigger if it turns out to be too complex for a workflow.