Hi @David Maryo
I'm assuming you have security policies allowing traffic to the Public IP endpoint Key Vaults. Unfortunately, if your firewall only supports IP addresses, there's not a way to reliably know what the Azure Key Vault public IP is or when it changes because it's hosted on PaaS services in Azure that the Azure Key Vault service doesn't control, so you won't be able to reliably enforce firewall policies. If your firewall can support FQDN's then you should be able to use the fully qualified Key Vault URL.
You could get the IP address ranges of the Azure Datacenter hosting your Key Vault and add those ranges in, but those will be pretty wide ranges.
https://learn.microsoft.com/en-us/azure/key-vault/general/access-behind-firewall#ip-address-ranges
If you can connect to your Key Vault via a Private Endpoint, then you have more control, but I understand that you might not be able to use Private Endpoints in all of your scenarios.