Hi Andrea - Thanks for reaching out.
To start with, below is the link that talks about different options of configuring networking level security and connecting to storage via Private endpoint is one of them.
If there is any kind of VNET peering that can be done, you can test that ahead.
Another recommendation that you mentioned in the second part appears to pointing to usage of Managed Identity wherein you can configure your app as managed identity and provide the necessary roles in order to connect to the storage ahead. I would suggest to review this approach once as well.
Hope that helps!
Please let me know if there are any further queries/concerns, will be glad to assist.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.