Hi PS - Thanks for reaching out.
In general, if you want to track the last access time of the blob, you can enable the last access time tracking feature on the account level.
Once enabled, and you try to check the properties, this shall provide you the last access time of the blob.
Moving ahead, in order to track operation on the storage account, you can rely on the storage diagnostic logging. Since you will be using the SAS token, it won't be logging any user specific details and only log SAS as the authentication scheme. You can narrow down the search based on user agent, client IP and request URL (blob name).
https://learn.microsoft.com/en-us/azure/storage/blobs/monitor-blob-storage?tabs=azure-portal
https://learn.microsoft.com/en-us/azure/storage/blobs/blob-storage-monitoring-scenarios
Below is the sample blog for refence on the concept basis. You can implement the same with newer diagnostic logging as well.
Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.