Unfortunately using the storage account firewall to allow access from a web does not work when they are both in the same region. Traffic from the web app goes to the storage account over the internal Azure network using IP's that you are not provided with (and that will change).
If you want to secure a storage account for access from a web app you have a few options:
- Join your Web App to a virtual network, then create a service endpoint or private link connection to the storage account attached to that virtual network. your web app traffic will be routed via the virtual network.
- Use an App Service Environment instead of the PaaS Web App. This will be joined to a vNet and again route traffic that way, but is expensive