@suvra jyoti Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.
Yes. This is expected. Azure CDN expects the origin to be publicly accessible. Since you have NSG/Firewall on the Origin, so that will only allow CDN Traffic
Presently, CDN does not support Private Endpoint as it's origin. However, Azure Front Door Premium support Private Endpoint as it's backend Pool.
This article will guide you through how to configure Azure Front Door Premium tier to connect to your storage account origin privately using the Azure Private Link service.
Connect Azure Front Door Premium to a storage account origin with Private Link
If you wish you may leave your feedback here All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
Additional information: Refer to this article: How to Integrate an Azure Storage account with Azure CDN.
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.