solved: I had assumed I needed to set KV rights on the user assigned identity that azure creates, not true - I simply created a SecretProviderClass in my cluster that made use of the existing identity that DID have rights to read from the key vault - worked first time. Tadaaaaa