Storage Account firewall with VWAN/secure virtual hub
We have an Azure Virtual WAN, secured virtual hubs, and P2S VPN. I also have an azure storage account with the firewall enabled to allow traffic from the virtual hub public IP. I'm trying to lock down access so the user has to be on VPN to access the storage account content. I would also like them to be able to access the contents from the Azure portal while on VPN rather than requiring storage explorer (with a private endpoint).
In theory I should be able to access the storage account when connected to the VPN. However, I get a message saying that "This storage account's 'Firewalls and virtual networks' settings may be blocking access to storage services. Try adding your client IP address". The error message shows the secured virtual hub public IP that is included in the storage account firewall allowed IP ranges. If I add my local public IP access works as expected while not on the VPN.
Both the storage account and the secured virtual hub are in the same region. Reviewing the storage account logs, the connection is shown as coming from the private client IP address rather than the virtual hub public address. I have a similar setup for Cosmos DB and it is working as expected while on VPN.
Is this a known problem and are there any recommended solutions?