We need to set the Storage Account firewall rules, so only traffic from the AKS subnet is allowed.
Open the Storage Account. Under Networking set to Disabled and verify that the app is now broken.
Then switch to Enabled from selected virtual networks and IP addresses and add the subnet. Verify the app is working again.
It takes a minute or two for these changes to take effect, but you need to make sure they are having the expected resut
# turn public access off:
az storage account update -g labs-aks-apps --default-action Deny -n <sa-name>
Now the app should be broken.
# add a rule to allow the AKS subnet:
az storage account network-rule add -g labs-aks-apps --vnet appnet --subnet aks --account-name <sa-name>
And the app will work again.