For the benefit of anyone else who has stumbled upon this, a straightforward solution which doesn't involve Dataverse is:
Create a service principal (app registration) in Entra id on the Azure tenant that contains the key vault. This should be the same tenant that contains the Power Platform environment.
Assign Key Vault Secret Reader permissions to the corresponding service principal (enterprise app) via the IAM settings of the key vault.
Insert a Azure Key Vault step in the cloud flow with the "Get secret" action and "Service principal authentication". Enter client id, secret, tenant. The secrets should be listed if the connection is correct.
Go to the Azure Key Vault step options and switch on the"Secure outputs" toggle
Add a step after the Azure Key Vault step which uses the secret from the previous step.
No environment variable is needed for the secret, and no connection to Dataverse. The client secret specified for the service principal used to access the key vault is not visible. The connection to the key vault can be modified in the future to rotate the secret with no impact to the solution.