Hello @Frank Revi
Thank you for your post on this community space.
As per your case scenario description, I would like to gather my humble opinion about it. For instance, you were stating that you have no need to use IIS feature or Web Application Proxy. Also, this is a real CA certificate, but it was provisioned as Wildcard TLS/SSL certificate.
You want to use the VM hosted on Azure as any other ADFS server to redirect your authentication request to the key vault resource to use the certificate set up. Please correct me if I am mistaken on this please but for now let me keep providing few details more about it.
I would dare to say that what you need is to integrate other options to this since you were stating how this can be possible, but the info down below can give you more clues to get it done as well as to get familiar with.
When you use private links/Endpoints it will have a public IP linked to it as well as Network Firewall rules to either allow or block the network access from your VNET or Internet traffic. Having said that, you might need to use a Managed Identity instead of user/password credentials....
Please see the links mentioned previously:
https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints
If you need further details do not hesitate to get back to us and any of us shall assist you for sure : )
Looking forward to your feedback,
Cheers,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.