@Vasantha Raman A Key rotation you should expect to see new secrets generated not only per VM but per volume, in some cases you will see new versions of the secret instead of new secrets, but at the end they are treated on a very similar way, the encryption settings on each drive will be updated to point to the new secrets.
If you so desire to clean up the KeyVault of unused secrets the recommendation is to check all the encryption settings of all the encrypted VMs and correlate with the current content of each specific KeyVault
so you can be sure that you are not deleting a secret or a particular version that is being used, then we strongly encourage you to take a backup of the secret just in case that a restore is needed,
after a secret deletion is a good idea to test out if the VM that was previously associated with it can safely be rebooted,
if not then the secret should be restored and then another case with us can be open to check the reason why the secret on the encryption settings was not updated.
We’re currently looking into the key rotation process and trying to identify any possible causes for your VMs to not start while deleting the secret that was not the one that is on the disk encryption settings for each individual disk.
About the costs, I checked and the information is publicly available here: https://azure.microsoft.com/en-us/pricing/details/key-vault/, the costs associated with secrets is based on secret operations, you can check the cost there by region and currency, if you need more details about that you can reach out to the sales team and they should be able to clarify.
Please let us know if you have any further queries. I’m happy to assist you further.
----------
Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.