Hi mikedunphy ,
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.
After provisioning and successfully activating a managed HSM using an administrator account, you could not generate or import keys and received the following error:
Not authorized to access Microsoft.KeyVault/managedHsm/keys/read/action on '/keys'
Managed HSM administrators don't have the ability to do key operations, so you needed to add an additional role that did. The correct role for this would be the Managed HSM Crypto User role, which can perform the action
keys/read/action. For more information, see Managed HSM local RBAC built-in roles.
If you have any other questions or are running into more Azure Managed HSM issues, please let me know.
Thank you again for your time and patience throughout this issue.
Please remember to "Accept the Answer" if the answer accurately represents the resolution, so that others in the community facing similar issues can easily find the solution.