I would go with as as per below explanation After you add a private certificate to an app, the certificate is stored in a deployment unit that's bound to the App Service plan's resource group, region, and operating system combination, internally called a webspace. That way, the certificate is accessible to other apps in the same resource group, region, and OS combination. Private certificates uploaded or imported to App Service are shared with App Services in the same deployment unit. Link: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex

After you add a private certificate to an app, the certificate is stored in a deployment unit that's bound to the App Service plan's resource group, region, and operating system combination, internally called a webspace. That way, the certificate is accessible to other apps in the same resource group, region, and OS combination. Private certificates uploaded or imported to App Service are shared with App Services in the same deployment unit. You can add up to 1000 private certificates per webspace. I think A

Store certificate in Azure Key Vault: make sure to use the same subscription and resource group as your App Service app. For that reason only App1 and App2 can use Certificate. https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-app-service-certificate?tabs=portal

Why not A?

When you upload a certificate to App Service, it's stored in the App Service instance's Key Vault. Key Vault is a global service in Azure, meaning it can be accessed from different regions.