Here’s my understanding. Hope I got it right.
The hashed password in vault.yml is loaded on the server. To escalate a non-root user’s privileges to run the playbook using sudo, you must enter a raw/unhashed password. The server makes a cryptographic hash of the submitted password and compares it to the hash previously loaded onto the server from vault.yml.
With that background, you’ll understand that the hash in vault.yml is not the raw/unhashed password that must be entered in order to run sudo commands. Instead, you must manually enter this raw password each time your run server.yml to enable the admin_user to run tasks using sudo.
It’s a little less painful when you know you can use the shortcut -K (uppercase K) instead of having to type --ask-become-pass
This applies only if you have sshd_permit_root_login: false in group_vars/all/security.yml (which is a good setting for security 
).
I agree with @swalkinshaw:
Let us know what ends up being the fix.