Private endpoint does not restrict public access, however, it is advisable to do so for security purposes as given in document.
You can secure your storage account to only accept connections from your VNet, by configuring the storage firewall to deny access through its public endpoint by default. You don't need a firewall rule to allow traffic from a VNet that has a private endpoint, since the storage firewall only controls access through the public endpoint. Private endpoints instead rely on the consent flow for granting subnets access to the storage service.
Hope this answers your questions. If you have any further questions/concerns, please do let us know. Thank you!
- Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.