@JAL Thank you for reaching out.
If the developer has an account in the tenant, you should configure access policies with at least "Get" and "List" permissions. The developer should also login to Visual Studio with the same account.
You can then use DefaultAzureCredential to seamlessly switch between local development and Managed Identity when deployed to App Service without any code changes.
// Create a secret client using the DefaultAzureCredential
var client = new SecretClient(new Uri("https://YOURVAULTNAME.vault.azure.net/"), new DefaultAzureCredential());
If developers do not have access to the tenant, authenticating via Client credentials and Client certificates are the only options right now.
----------
If an answer is helpful, please "Accept answer" or "Up-Vote" for the same which might be beneficial to other community members reading this thread.