Restrict Key Vault certificate import to a specific App Service Plan
App Service certificate import supports importing certificates from Key Vault. This operation requires an access policy on the Key Vault for Microsoft Azure Website (app id abfa0a7c-a6b6-4736-8310-5855508787cd). This access policy is directory wide which means any App Service can import certificates from this Key Vault, even from other subscriptions within the same directory.
It would be more secure if we could limit this access policy to a particular App Service Plan. I should not be able to import production web app certificates from my personal MPN subscription.