If Key Vault is being used as a backend target (part of your backend pool), specify the <yourvault>.privatelink.vaultcore.azure.net address as the fqdn for the backend target. Within your corresponding backend HTTP Setting, configure Override with new host name with the value of yes and check Override with specific domain name for Host name override. For the hostname to override, use the FQDN provided by keyvault (i.e. <yourvault>.vault.azure.net).
If Key Vault is being referenced via private endpoint for a listener, you must associate the private dns zone to the virtual network. I will work on clarifying these items via our docs.
Hope this helps!
Jack
You can use Application Gateway with a hub/spoke architecture and continue to use custom dns servers on the spoke network. For this specific scenario, you need to additionally link the DNS zone to the spoke network, which will ensure Application Gateway utilizes the proper address of the private endpoint.
I don't have timelines to share at the moment, but we are working on options to improve this experience in the future. Documentation has been updated to call this out in the interim as well.
Thank you,
Jack