Hi,
The minimum viable solution will be to go to your Container App overview page and copy the outbound IP addresses listed under the networking heading. Add these to the KV firewall. However, these may change so it's not a very viable production solution.
If the Container Apps is a consumption SKU, then you're going to be limited here. By making your container app internal and putting egress control in place (front door, app gateway, traffic manager etc) this is a recommended approach to securing your apps as part of well architected framework.
This way you will not only secure the egress of your app with an edge paas solution with a WAF, but also as the ACA will be 'internal' now and you can scope to that network in the Keyvault firewall to allow access.
You can see more here on architectural reference if interested: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/serverless/microservices-with-container-apps
If this is a workload profile (consumption + dedicated) then you can vnet integrate the apps, and put a NAT gateway on the subnet to keep a static IP for your Key Vault firewall.
Container Apps aren't unfortunately listed on the trusted services on Key Vault 'allow trusted services option' either which is a shame: https://learn.microsoft.com/en-gb/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services