There should be a way for users to navigate (using point and click) to their containers without having to have full read permissions on the storage account (which seem to override any container-level).
We found that granting the "Reader" role on the storage account gave users read access to all the containers within it. Perhaps that needs to be reviewed, or another role created that just allows the displaying of storage accounts, and then displaying of containers within it could be based on container-level ACLs