If you want your Azure Front Door and Front Door Standard/Premium instances to access certificates in your Key Vault, you will need to grant the general Microsoft Azure Front Door CDN principal user some access to your Key Vault

Classic Front Door

Against Azure Powershell session run this (you won't be able to run this if you are only a Reader):

New-AzADServicePrincipal -ApplicationId "ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037"

 Then go your Key Vault -> Access Policy -> Add Access Policy -> Grant "Get" on Secret Permissions and Certificate Permissions to a user called - Microsoft.Azure.Frontdoor

Note! The user who performs the action to add the Key Vault certificate to the Front door instance should also have "Get" and "List" permissions to that same Key Vault for Secret and Certificate permissions

Front Door Standard/Premium (Preview)

Against Azure Powershell session run this (you won't be able to run this if you are only a Reader):

New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"

Then go your Key Vault -> Access Policy -> Add Access Policy -> Grant "Get" on Secret Permissions and Certificate Permissions to a user called - Microsoft.AzureFrontDoor-Cdn

Note! The user who performs the action to add the Key Vault certificate to the Front door instance should also have "Get" and "List" permissions to that same Key Vault for Secret and Certificate permissions