Azure KeyVault scopes help for access denied error

I'm trying to access Azure KeyVault using the code snippets below. I've checked that the web app has all the permissions needed, like specifically adding all the cryptographic permissions for the web app under access policies for the key vault.

The application is a .Net 6 Web API running locally within docker, so most of the security options in the tutorials haven't been possible.

I have had it working using a hard coded access token so I am confident things like my key name, key version and uri are correct.

When switching to use a client id and secret I instead get an access denied error.

What I'm less sure about is the scopes. I've tried options I've found online like the key vault uri, trying the values on the properties page of the key vault and the general key vault scope but not had any success so far.

What scope am I supposed to be requesting here and is there a good documentation page to help with this? The ones I've tried so far haven't been very helpful.

var app = ConfidentialClientApplicationBuilder.Create(_clientId)
    .WithClientSecret(_clientSecret)
    .WithAuthority(authority)
    .Build();

var authResult = app.AcquireTokenForClient(new[] { $"{kvUri}/.default" }).ExecuteAsync().GetAwaiter().GetResult();
var accessToken = authResult.AccessToken;
_keyVaultClient = new KeyVaultClient(
            async (string a, string r, string s) => accessToken);

var refreshTokenResult = await _keyVaultClient.DecryptAsync(kvUri, "mykeyname", keyVersion, "RSA-OAEP", settings.RefreshTokenBinary);

From @juunas comment:

The scope should be https://vault.azure.net/.default

This solved the issue.