Please refer to this StackOverflow post. Expressions like @PreAuthorize(hasRole('ROLE_' + #user.role) do not work as hasRole does not appear to support SpEL. It will be useful to have hasRole support SpEL as it will allow dynamic role checking in many more number of scenarios.
Comment From: eleftherias
Closing as answered, since the linked StackOverflow post has been answered.