An API is deployed as an App Service on Azure. It connects to a Key Vault that is on the same subscription. An access policy was created for the App Service in the Key Vault. The App Service is configured with a system assigned identity. When the API attempts to access the key vault, the following error occurs:
AKV10032: Invalid issuer. Expected one of https://sts.windows.net/b68456ea-cf3c-4835-9d30-a4b164f33190/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, found https://sts.windows.net/98de912a-48b9-4d1d-b5cd-21fd3f4f449d/.\
Edit: I've removed a lot of content from this question as there was an error in it and I've been on the wrong track. Both the Key Vault and the App service do use the same tenant (contrary to my original post). The tenant Id is 98de912a-48b9-4d1d-b5cd-21fd3f4f449d, which is the one that is found in the error message above.
This was happening because of a typo in the name of the key vault that I was given. Unfortunately the typo version was for an existing key vault, so we went on the wrong track investigating authorization problems.