Scenario
Goal: Blob storage can access only from the app service.
So, you want to set the blob storage firewall for inbound traffic.
Blob storage firewall limitation in this scenario
1. IP address
IP network rules have no effect on requests originating from the same Azure region as the storage account.
See Grant access from an internet IP range
2. Service tag
There isn't an App service tag.
ps. When clients request blob storage through app service, blob storage receives not App service IP but Client IP.
Workaround
1. Add IP address when app service and storage are located in a different region.
When resources are located in a different region, the IP address firewall setting works.
2. Firewall with Virtual Network
When blob storage uses VNet firewall, app service must be integrated with VNet.
If you want to read what is VNet integration, see VNet integration
Before setting VNet integration, you must check limitations.
Integrate your app with an Azure virtual network - Azure App Service | Microsoft Learn
1. Set Vnet Integration on the app service
Add VNet to your app service.
I use "firwall-storage-vnet" VNet as below.
2. Blob storage firewall setting with VNet which is integrated with app service
3. If you use a function app, please add WEBSITE_CONTENTOVERVNET = 1
A value of 1 enables your function app to scale when you have your storage account restricted to a virtual network.
You can see the detail about this setting website_contentovervnet
Microsoft