App Service to access Storage account with Firewalls and Virtual Network enabled

Yes, enabling "Allow trusted Microsoft Services" will give App service access to the storage account.

Thanks for asking question! To elaborate on this Some Microsoft services operate from networks that can't be included in your network rules. You can grant a subset of such trusted Microsoft services access to the storage account, while maintaining network rules for other apps. These trusted services will then use strong authentication to connect to your storage account securely. We've enabled two modes of trusted access for Microsoft services.

• Resources of some services, when registered in your subscription, can access your storage account in the same subscription for select operations, such as writing logs or backup.

• Resources of some services can be granted explicit access to your storage account by assigning an RBAC role to its system-assigned managed identity.

You may refer to this link for more detail on this: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services

Use Vnet integration option on Azure WebApp and whitlist same subnet in storage account's Network Security Rule.

With this your traffic shall start flowing through a self managed VNet, where you can further apply NSG's & UDRs/

While the Vnet Integration works, it is still not practicable solution in it's current shape and form, as each App service Plan need a dedicated subnet for Regional Vnet Integration to work. So if your organization require multiple Apps connecting to storage accounts, this will require you to carve out separate subnets per App Service Plan which looks totally absurd.

As @Onstwedder, M.A. (Martijn) say, I turn on "Allow trusted Microsoft Services", and try to use Azure Web App connection storage, haved 403 Error.
Should I use Vnet? Hope for better advice.