How to use SIGHUP for reloading services?
Vault is telling you the tls_key_file file name cannot be changed after start, and the certificate contents can be reloaded if you send it a SIGHUP.
Your systemd unit sends a SIGHUP if the unit is reloaded, a common pattern for services where that is a reload signal.
Additional logic is needed, as Vault is not monitoring the file for changes. I suggest reloading vault.service in your certificate renewal script, after the cert has been installed.