I found a solution, I edited the service file with dietpi-services and added in the [Service] section the line:
StandardOutput=file:/mnt/dietpi_userdata/vaultwarden/vaultwarden.log.
The log gets now written to this file, which fail2ban can read.

I also tested a bit with action= and banaction= and now it is working and catching my failed attempts, with this config:

/etc/fail2ban/filter.d/vaultwarden.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. .*$
ignoreregex =

/etc/fail2ban/jail.conf

[DEFAULT]
enabled = true
ignoreip = 127.0.0.1/8
ignorecommand =
backend = systemd
mode = normal
filter = %(__name__)s[mode=%(mode)s]
findtime = 600
maxretry = 3
bantime = 600
banaction = route
action = %(banaction)s[blocktype=blackhole]

[dropbear]

[sshd]
# Mode: normal (default), ddos, extra or aggressive (combines all)
# See "filter.d/sshd.conf" for details.
#mode = normal

[vaultwarden]
enable=true
port =80,443,8001
filter = vaultwarden
banaction = route
action = %(banaction)s[blocktype=blackhole]
logpath = /mnt/dietpi_userdata/vaultwarden/vaultwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
mode=normal
backend=auto

EDIT:

okay if you do it with this action and banaction, every connection gets banned. My SSH connection to my TestPi dropped after the 3rd failed attempt
Luckily I can SSH into it from another device and unban myself
So maybe there is some need for improvement for the actions, but it’s working.