A key vault service needs to be created in each resource group.

The following screenshot shows how to create a key vault service for Contoso. Logic Apps gets permission to access a key vault using the service principal. In the Add new access policy blade, select Azure Logic Apps as a service principal:

In the Key permissions dropdown, ensure that you have selected the permissions shown in the following screenshot. These permissions are necessary for Logic Apps to use the certificate for encryption, decryption, signing, and signature verification:

Similarly, create a key vault service named ShipAnyWhere-KeyVault in the ShipAnyWhere-B2B resource group.