@manish verma If you have SAS URL, it doesn't matter if you have container level access as private, it should work .
If you add firewall rule, then you need to whitelist the source IP. So from the SAS URL, we can validate what level of permission that is offered to the SAS
Note: If client and storage account are in same region then IP will not work. They should create a VNet rule
Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.
-----------------------------------------------------------------------------------------------------------------------------------------
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.