Service Endpoint and Private Endpoint overlap

flowchart LR

subgraph vnet1
	subgraph subnet1
		service-endpoint-kv
	end
end
subgraph vnet2
	subgraph subnet2
		private-endpoint-kv
	end
end
private-endpoint-kv -..-> keyvault
vnet1 <--> vnet2
vnet1 & vnet2 & private-endpoint-kv -..- pdns

Found that if you have Private Endpoint on a Keyvault in Vnet 2, but in Vnet 1 you have a Service Endpoint for KV on the subnet, yo will also need to allow the VNET on the Keyvault, as it looks like the priority for traffic is

flowchart LR

a["Service Endpoint"] --> b["Private Endpoint"] --> c["Public Endpoint"]

When troubleshooting, errors may show that the Private IP space of subnet1 is not authorised on the firewall.