1) There is currently a preview for Azure Automation Private Link. However, as part of the preview release, an Automation account cannot access Azure resources that are secured using private endpoint, such as a Storage Account. Another option which might work for you is to use a Hybrid Worker Group in Azure Automation. The systems can be your physical systems that can reach Azure or your Azure VMs. You can then grant access to the IP addresses that are in your Hybrid Runbook Worker group.
2) There are far too many security recommendations to cover in a single post. I would recommend you read through our Security recommendations for Blob storage. As well as Azure Security Baseline for Azure Storage to make sure there is not something you have overlooked.
3) Using the Hybrid Worker Group as suggested above would work. Another option is setting up a private endpoint for Azure Storage.
I hope this information helps! Let me know if you have further questions or issues.
Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.