In my opinion, using key vault will perfectly fit your requirements. On using it,
Keys are stored in a vault and invoked by URI when needed.
Keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules.
Keys are processed in HSMs that reside in the same Azure datacenters as the applications. This method provides better reliability and reduced latency than keys that reside in a separate location, such as on-premises.