I finished my testing. I initially removed the app service access policy, so I had a "pre-deployed" key vault. I then added the app service managed identity in an access policy. I deleted everything and created the stack from blank. The stack deployed fine with the app service managed identity having an access policy.
Is your app service and key vault in the same file? My projects are split into separate files and each file has a function per object. I then have one main function that executes the individual functions.