Hi @Andrei Matrosau Thanks for reaching out. From the description I understand that you wanted to protect your function app which communicate with CosmosDB, and a Storage Account using API Management.
So actual flow would be client --> APIM --> Function app --> CosmosDB --> Storage Account correct me if I am wrong here.
below is a diagram that lists the all the methods we provide from APIM end.
you can implement any of the above methods in conjunction with the subscription Key and the IP wihte-listing methods to improve the security and enforce more restrictions.
Please let me know if you have any further queries.