Hi Peter Daniels - Thanks for reaching out.
From storage perspective,
For the option1, with usage or RBAC and ACL's it helps in provide granular access w.r.t. access however it is inclined towards data plane and no networking configuration or access via Public Network.
For the option2, this is like an additional layered approach by adding an extra layer on top of Data plane to restrict access first based on authorized network such as certain IP's in the firewall list, VNET/Subnet or even using private endpoint. Below link talks about these different configurations.
Once the call is made to storage for accessing the data, it will be first evaluated for network layer auth i.e. the call coming from a authorized network. Once that is successful, further data plane permissions are evaluated in terms of RBAC/ACL permissions for the operation.
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.