I couldn't find any hidden flags to ensure the Key Vault is created with protection on and public access disabled during the keyvault creation through the ASR appliance deployment. However, you can create an Azure Policy to enforce the required attributes on the Key Vault instances that get created.
You can create a policy that requires all Key Vault instances to have deletion protection enabled, soft delete enabled, and use a private endpoint. You can also create a policy that requires all Key Vault instances to have public access disabled.
To learn how to integrate Azure Key Vault with Azure Policy, see Integrate Azure Key Vault with Azure Policy
Other sources: https://learn.microsoft.com/en-us/azure/site-recovery/deploy-vmware-azure-replication-appliance-modernized
-Please accept answer and upvote if the above information is helpful for the benefit of the community.