WinRM password as encrypted string in ansible host file?

I want to use WinRM to communicate via ansible with my Windows host. I've configured WinRM and specified the credentials in the ansible hosts file in plain text. Ping is working. Now I want to specify the password as encrypted - but whats the best approach here?

I've tried to use the Vault function using:

ansible-vault encrypt_string password123 --ask-vault-pass

and tried to specify the output in the hosts file but without success.

[winclients]
testserver

[winclients:vars]
ansible_connection=winrm
ansible_winrm_transport=credssp
ansible_port=5986
ansible_winrm_scheme=https
ansible_winrm_message_encryption=always
ansible_winrm_server_cert_validation=validate
ansible_user=testuser
ansible_password=!vault |
          $ANSIBLE_VAULT;1.1;AES256
          38373237366432653838643061373035333931616466613564653836393862343939313431393064....  
      3234

But now I get the error message:

testserver | UNREACHABLE! => {
    "changed": false,
    "msg": "credssp: Received error status from the server: (3221225581) STATUS_LOGON_FAILURE 0xc000006d",
    "unreachable": true
}

I now put everything into a hosts.yml but now the problem is that ansible tries to connect via SSH like its ignoring the winrm

winclients:
  hosts:
    testserver:
      vars:
        ansible_connection: winrm
        ansible_winrm_transport: credssp
        ansible_port: 5986
        ansible_winrm_scheme: https
        ansible_winrm_message_encryption: always
        ansible_winrm_server_cert_validation: validate
        ansible_user: testuser
        ansible_password: **encrypted_value**