I was missing the "Key Vault" "Access Policy" for the Microsoft Azure App Service and Microsoft.Azure.CertificateRegistration. I added them as below and the cert synced. It still doesn't show up in the key vault.
Check the required permissions on Key Vault: |Service Principal|Secret Permissions|Certificates| |--|--|--| |Microsoft Azure App Service|Get|Get| |Microsoft.Azure.CertificateRegistration|Get,List,Set,Delete|Get,List|