I am using Azure KeyVault to store my database credentials, Now to access it I have hardcoded client id and client secret in service code. How can I avoid this hard coding as its insecure?

1) I don't want to store client id and client secret in certificates, as 
deployed certificates are again insecure
2) My app is not hosted on Azure App service, so I can't use App Settings to 
store client id and client secret.

Is there a way to make Azure Active Directory return access token only if a request is made from my app URL? else How can I protect client id and client secret from hackers

If you deploy your service on Azure App Service or Azure VM, you can enable Managed Service Identity (MSI) and add the Azure App service’s service principal to Azure Key Vault. MSI allows to generate service principal on associated Azure service itself. It means you don’t need to store client Id and client secret anymore. Azure AD works directly with your Azure App Service.

Here is the introduction of Azure MSI https://learn.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview

Another approach of NOT using client ID and client secret is to get access token via certificate. It can be done simply by uploading your certificate into Azure Web App certificate store and call to the certificate to get thumbprint. You can refer to this article https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application

Using a client id and a client secret to secure Key Vault just means you've now got a new secret to try and secure somehow. A better approach is to use a certificate to access key vault. You now have additional security because you need the certificate's private key to install it into your application.