Hello @Adam Hinkle and thanks for reaching out. In order to manage key vaults both at the control (management) plane you need to authorize the principal (user or application) trough Azure RBAC regardless of them being local or external users. You don't need the principal to be tied to the same Azure subscription. To provide data (secrets, key, certs, etc.) plane access to a web app deployed in Azure App Services you can use managed identity if the application is hosted/deployed in the same tenant or a standard service principal (application authentication) if the web app is deployed in another tenant and assign a key vault access policy.
Private links provides an optimized and secured (private) connection to your key vaults but still you need to configure data plane access.
For more information, please take a look to Key Vault authentication options and Access model overview.
Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.