@George Sun In order to understand the issue better :You are trying to create Service principal for Azure Blob Storage lifecycle management for another Subscription am I correct? If so it's not possible for now!
From the service principal's perspective, it should be able to authenticate / access against the resources if the subscriptions are within the same tenant
Management Policies - Create Or Update : Service: Storage Resource Provider
Additional information: Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. For a list of Azure services that support the managed identities for Azure resources feature, see Services that support managed identities for Azure resources.
Which operations can I perform using managed identities?
Authorize access to blob or queue data from a native or web application
Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to blob data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.
An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources. The RBAC roles that are assigned to a security principal determine the permissions that the principal will have. To learn more about assigning Azure roles for blob access, see Assign an Azure role for access to blob data
Please let us know if you have any further queries. I’m happy to assist you further.
----------
Please do not forget to and wherever the information provided helps you, this can be beneficial to other community members.