Hi - Because it's a pain to renew SSL certificates if you keep copies in different places I would always suggest that you have one Key Vault (KV) for the cert (so one place to renew it) and then it's OK to point both the App GW and App Service at the same KV for the certificate dependency .
I would still have a different KV for each environment to align with the fact you should have a different App GW and App Service for each environment.
In other use cases; for example secrets / keys then try and keep to the general rule of "one key vault per app per environment" where the "app" is a business process. For example a site hosted in app service which requires some secrets in KV would benefit from it's own KV for extra isolation , very likely in the same resource group.
In addition
*do make use of key vault references in App service
*do try and use managed identity and RBAC not the access keys for key vault access
*use private endpoints for the key vault where appropriate (to further limit attack surface area)
*make use of the fine grain control plane and data plane permissions available to ensure least privilege
and segregation of control
Hope that helps