Hi, Sanin
Q. Once a backup exists in a vault, the vault and the backups in the vault cannot be encrypted using CMK.
A. "This feature allows you to encrypt new Recovery Services vaults only. Any vaults containing existing items registered or attempted to be registered to it aren't supported."
https://learn.microsoft.com/en-us/azure/backup/encryption-at-rest-with-cmk?tabs=portal
Q. • The backup in the vault cannot be modified, once written to the vault.
A. Correct, this is offline.
https://learn.microsoft.com/en-us/azure/backup/guidance-best-practices
Q. With the Soft Delete feature enabled any backups that are deleted can be recovered within 14 days.
A. Correct, Soft Delete will allow restore of backup jobs.
For immutable vault - this is currently in PREVIEW in Australia East:
In regards to Azure Policy, the DenyAction policy effect is also in Public Preview: https://techcommunity.microsoft.com/t5/azure-paas-blog/quickstart-denyaction-effect-in-azure-policy/ba-p/3705112
I propose you take a look at Resource Guard - MFA for Azure Backups - https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault
Resource Guard, will allow you to set specific users and approval, and restrictions and, if needed, prompt for MFA before any operations such as deleting a backup point.