Hi,
Yes, you can use private endpoint for your key vault. On your key vault you want to enable "Allow trusted Microsoft services to bypass this firewall" under Networking so that your storage account will be able to unwrap key.
Please click Accept Answer and upvote if the above was useful.
Thanks.
-TP