My new washer-dryer (not as much fun as the telephone) has bluetooth ,and I can monitor and control it with an app ('Homewhiz')..

...that connects to a cloud server 'somewhere'.

...for which the app suppliers want: my location and access to my microphone, camera and contacts - and the app won't install or run if you start denying access.

Nope, not happening.

I wish I was more of a hacker/programmer because I'd like to do some protocol sniffing and create a connector for Node-Red so that I could link the appliance to my home automation system without becoming a personal data asset for the manufacturer.

You are not the first person with this problem - fortunately smart people figured a way to fake all these data but it requires additional effort.

Any pointers where to start?

https://github.com/M66B/XPrivacyLua

I haven't kept up with it, it needs a rooted phone and Xposed Framework, and some apps don't like that and stop working.

But in an older version of this app, you can set it to prompt you for any activity the app wants to do, e.g. read clipboard or phone status, where you can say "Allow/deny always, allow/deny for 10 minutes" etc.