Q. What is the difference between a software-protected and HSM-protected key with Azure Key Vault?
A. Both types of key have the key stored in the HSM at rest. The difference is for a software-protected key when cryptographic operations are performed they are performed in software in compute VMs while for HSM-protected keys the cryptographic operations are performed within the HSM.
In test/dev environments using the software-protected option is recommended while in production use HSM-protected. The only downside with HSM-protected is an additional charge per-month if the key is used in that month.