I tested with this exact setup, and I found the problem. The secret matcher does not currently support - in the key name, so you need the key to be:
--settings-encryption-key=$duplicatiserver
This means you have to rename the key in the Windows Credential manager as well.
I will update the code to support - and _, but I am thinking of how to catch similar cases as well.
Alternative is to provide a pattern, like:
--secret-provider-pattern=$() --settings-encryption-key=$(duplicati-server)