Microsoft is painfully vague on the details of this but:

1. Add a role assignment to your key vault in the IAM tab.

2. Choose Key Vault Certificate User (or whatever role you chose)

3. For users choose "Users, group, or service principal". In the selection menu search for "microsoft azure app service". This will bring up the built-in service SPN which is needed to bind the certificate in Key Vault (you'll notice its application id is abfa0a7c-a6b6-4736-8310-5855508787cd).

I don't think you even need the user assigned managed identity once this in-built SPN is set up but you can test that.