@Alexander Shushanidze , System Assigned identity will be same for the 'production' slot and the root app service (both are eventually the same resource). So if you just cover only the slots excluding the app service itself while assigning identity in keyvault, you should be good and will not encounter this problem.
locals {
identities = [ for slot in azurerm_app_service_slot.web_app_slot: slot.identity[0]]
}
If your slots are all using same identity, then you can just use the identity from app service resource and not any slot.
locals {
identity = azurerm_app_service.app_service.identity[0]
}