Protecting information in Vault with a known token in git repository

Hello everyone)
I’m new one, now deployed a Vault cluster (RAFT) and I’m trying to figure out this product.
But I just can’t figure out how to protect the secret using a token if it is in an open repository.
After all, knowing this token, anyone can use it to contact Vault and get a secret
Or in this case, access to Vault is limited only for servers with applications that can access Vault on firewall level?
I now have a scheme - there is a load balancer that forwards traffic to the Vault nodes and
I have an application that has to go to the Vault for a secret i.e. I have to restrict in the firewall what only this server with the application can access Vault?
Thanks for the answer

Do not put credentials, such as tokens, into Git at all.

Instead, deliver credentials to the production application installation via some kind of deployment process, so the application has a proof of identity that is separate from its source code.

Thanks for the answer)
Could you please send some links where specific examples are discussed.
thanks again

No, I don’t have any to hand.