Now enable managed service identity for the webapp.

az webapp identity assign --name kvqs -g keyvaultquickstart-rg

Note the principal ID and assign get rights to the secret in your vault.

az keyvault set-policy --name keyvaultquickstart-kv --object-id <principalid> --secret-permissions get