If you try to add a vNet/subnet to a Key Vault's firewall, the subscription where that vNet lives must have the Key Vault resource provider registered. If the Key Vault resource provider is not registered in the vNet's subscription, the error you see leads you down a different rabbit hole. Here's an example of the error message:

Virtual Network could not be validated. code: AuthorizationFailed. message: "The client '{guid}' with object id '{same_guid}' does not have authorization to perform action 'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action' over scope '/subscriptions/my-vNet-subscription-guid/resourcegroups/my-Resource-Group/providers/microsoft.network/virtualnetworks/my-vNet/taggedTrafficConsumers/Microsoft.KeyVault.centralus' or the scope is invalid. If access was recently granted, please refresh your credentials.".

That error message led us to believe that the problem was permissions-related, but in reality, the fix described in this StackOverflow entry was closer to the mark:

https://stackoverflow.com/questions/54155808/the-client-with-object-id-does-not-have-authorization-to-perform-action-taggedtr

Once we registered the Key Vault resource provider in the vNet's subscription, we were able to add the vNet to the Key Vault's firewall.

This suggestion is to surface the fact that the Key Vault resource provider needs to be registered in the subscription where the vNet lives in order for this integration to work properly.

Thank you for considering this.