I am exploring the use of token authentication to control Blob storage and the corresponding CDN "copy" of that data.
In Azure Storage, the security is a "Shared Access Signature" and/or a "Shared Access Policy".
In Azure Verizon Premium CDN, it uses a completely different access control technique, and in some respects it's better than Azure Blob.
Token authentication is a mechanism that allows you to prevent Azure CDN from serving assets to unauthorized clients. This is typically done to prevent "hotlinking" of content, where a different website, often a message board, uses your assets without permission. This can have an impact on your content delivery costs. By enabling this feature on CDN, requests will be authenticated by CDN edge POPs before delivering the content.
My goal is to prevent hot linking of a "bearer token" / special URL. The CDN seems to address this with a referer validation requirement.
Is there any way to get Blob storage to also check the referer?
Is there any overlap between the Azure storage authentication parameters and the CDN? (header validation, IP restriction)
I am not sure whether Azure Blob storage can do token authentication.
However, you can put Azure Blob storage behind CDN, and let CDN layer take care of the token authentication.
Token authentication can be based on timstamp, country code, referer, URL (Verizon CDN).