Issues with App Gateway Resolving Private Key Vault Endpoint

Pointing the VNet DNS to Azure Firewall will only work if it’s set up as a DNS Proxy. As another user suggested, link the Private Link DNS zone (for the Key Vault) to both the hub and spoke VNets. Alternatively, create a separate Private Link DNS zone for the Key Vault linked to the spoke VNet and include a record for its private endpoint.

What exactly is the problem you're encountering? Are you struggling to select the Key Vault in the HTTPS listener because it's not showing up?

Make sure your Private DNS Zone is linked to the spoke where the App Gateway is located so that the VNet can resolve the Key Vault's location.

You really need to have a Private DNS zone for the Key Vault with the correct record and link it to the VNet where your App Gateway is situated. This is critical even if your initial DNS setup looks good since the App Gateway often handles DNS differently.

It sounds like the Azure Firewall isn't actually able to resolve DNS. Why did you configure the spoke VNet's DNS settings to point at the firewall? Maybe try using the Azure-provided DNS instead in the spoke? Also, make sure the Private DNS Zone is linked to both VNets, but especially the spoke. And just to confirm, are your VNets peered? If you have another device in the spoke, like a VM, try resolving the Key Vault IP from there to see if it works.