Handling API keys for client-side app with cloud key vault

I would like to hear about the security implications of my desktop app’s current API usage workflow:

  1. Client-side WPF desktop app connects to Azure Key Vault, a cloud vault, by authenticating via a self-signed certificate packaged and distributed with the app’s installer.
  2. Client app retrieves the API key and the key is assigned to a declared runtime object.
  3. Client app uses the key value to make the required GET requests.
  4. Client app closes with Application.Current.Shutdown().

Not well-versed in security myself, but I wondered:

  • Is distributing self-signed certs a risky practice? Ie. others may create a clone app with it
  • Can others potentially hack into the client during runtime and access the key?
  • Potentials for man-in-the-middle attacks to intercept keys when retrieving from vault?

Keen to hear expert thoughts about the above and other ideas. I can’t think of another way to make the GET request directly from client-side.