To summarize little bit: IMO you do not need escaping made by esc_attr
(because your URL won't contain characters it escapes) and esc_url
is useless too (because I don't think URL returned from get_month_year
has to be sanitized - it's not an user input).
Then? Just remove them both:
<a href="<?php echo get_month_link( get_the_time('Y'), get_the_time('m') ); ?>"><?php the_time( get_option( 'date_format' ) ); ?></a>
Of course if you do not "trust" get_month_year
parameters validation you can keep esc_url
(but let me say this may be little bit too paranoic).