@Jason We understand you are attempting to limit access to your storage account to only your web app.
I come from the web app side so I will be stretching some of my storage account knowledge here but wanted to provide you an answer.
The storage account firewall "resource instance" feature that you spoke of largely exists to provide a way to add resources that cannot be added to a virtual network.
Azure Web Apps can be added to a virtual network so there is a process to provide resource level connectivity.
- Navigate to your storage account in the portal > networking blade
- Select "enabled from selected virtual networks and IP addresses.
- Connect your virtual network to your storage account under the virtual network's header.
- Navigate to your web app in the portal > networking
- Select VNET integration
- Add your VNET here
While there is a lot more configuration that can be done, this is the simple steps that should get you started and limit access to your storage account.
Please let us know if you have further questions or concerns.