Azure key vault for EventHub connections is supported through Azure Managed Identities which requires the CDC Listener process to be running on Azure VM for successfully authentication to azure environments. The authentication retrieves the secrets from the Key vault and use the connection string (Secret) to authenticate to EventHub which removes the use of connection string in Kafka config properties file.
Sample Azure key vault properties file for Azure service
bootstrap.servers=connectehub.servicebus.windows.net:9093
security.protocol=SASL_SSL
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required username="$ConnectionString" password="{keyValue}";
sasl.mechanism=PLAIN
Note: In sasl.jaas.config property, the password must be set to "{keyValue}" instead of the connection string.