Including vault-encrypted variables in a task

I just recently started to use Ansible, and am trying to deploy a configuration file that contains a secret key and email (for credentials to use with an API). I encrypted them with ansible-vault encrypt_string ..., and added them to playbook:

- name: generate dehydrated dns-hook config file
  template:
    src: etc/dehydrated/dns-hook.sh.j2
    dest: /etc/dehydrated/dns-hook.sh.j2
  vars:
    token: !vault |
              $ANSIBLE_VAULT;1.2;AES256;dns-hook
              66326635666264386238316238373135626233393437633937626534623931636365336231363462
              6131333637663337363162653561393962626661313762300a383633303136633564346366383935
              65333265306162386564363937636531346265633635656536646533393961343935313161643262
              6132336430373235380a313364323438393765613131356535373862306337306434653237316566
              34333965356663626231626533656661663364313737663036343161663638373836366235643730
              3965323463643231666361356330343663653536306634646438
    email: !vault |
              $ANSIBLE_VAULT;1.2;AES256;dns-hook
              64336666396139636636386536373531343133303964646631346135633033356162626562333561
              3338336534333236613330336532353861393265613766380a376632616665366463313237656166
              30633135303431336138303535343962663965363536616139393631626534353432313466633064
              3466363063666663360a343233376333643931323738356435643930623765306537313437356638
              3332396164356236663133613432313063373130653632323432643230646237366

However, whenever I run the playbook, I get the following error:

TASK [generate dehydrated dns-hook config file] *****************************************************
[WARNING]: There was a vault format error: Vault format unhexlify error: Odd-length string

fatal: [sherlock.server.com]: FAILED! => {"changed": false, "msg": "AnsibleVaultFormatError: Vault format unhexlify error: Odd-length string"}

The only thing I can find about this erro

Robuster and more practical solution is an encrypted file. For example,
shell> cat vault1.yml
my_email: admin@example.com
my_tag: tag123

shell> ansible-vault encrypt vault1.yml
Encryption successful

shell> cat vault1.yml
$ANSIBLE_VAULT;1.1;AES256
33376431383930313965356364356136306338383238303032363165633962636366663939373237
3433383262306631643431346236653534316331643466660a326562663633346662656233353733
63373561636432653535666437656537326635363935366261666237353136313939323535336665
3333666466656664610a633430313138393238653065623231393165383162656262646139353730
63653231363465643237666465613631646539366262656537323932346530386364353132326234
3230623232393630396361333462343862323231323733376665


Then the encrypted file can be used in various places. For example,
shell> cat playbook.yml

• hosts: localhost

tasks:
- include_vars: vault1.yml
- debug:
msg: "email: {{ my_email }} tag: {{ my_tag }}"


gives
"msg": "email: admin@example.com tag: tag123"


Including vault-encrypted variables in a task

It's possible to limit the scope of the variables to a task. This limits the exposure of the sensitive variables and makes the solution safer. For example, the task below gives the same result.
- debug:
msg: "email: {{ my_vault.my_email }} tag: {{ my_vault.my_tag }}"
vars:
my_vault: "{{ lookup('file', 'vault1.yml')|from_yaml }}"


StackExchange DevOps Q#10894, answer score: 5