If you want your Azure Front Door and Front Door Standard/Premium instances to access certificates in your Key Vault, you will need to grant the general Microsoft Azure Front Door CDN principal user some access to your Key Vault
Classic Front Door
Against Azure Powershell session run this (you won't be able to run this if you are only a Reader):
New-AzADServicePrincipal -ApplicationId "ad0e1c7e-6d38-4ba4-9efd-0bc77ba9f037"
Then go your Key Vault -> Access Policy -> Add Access Policy -> Grant "Get" on Secret Permissions and Certificate Permissions to a user called - Microsoft.Azure.Frontdoor
Note! The user who performs the action to add the Key Vault certificate to the Front door instance should also have "Get" and "List" permissions to that same Key Vault for Secret and Certificate permissions
Front Door Standard/Premium (Preview)
Against Azure Powershell session run this (you won't be able to run this if you are only a Reader):
New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
Then go your Key Vault -> Access Policy -> Add Access Policy -> Grant "Get" on Secret Permissions and Certificate Permissions to a user called - Microsoft.AzureFrontDoor-Cdn
Note! The user who performs the action to add the Key Vault certificate to the Front door instance should also have "Get" and "List" permissions to that same Key Vault for Secret and Certificate permissions