Using MSI authentication with COPY is required when loading from a storage account that limits access only to a set of virtual network subnets via Private Endpoints or Service Endpoints. The MSI is able to bypass the network configurations when "Allow trusted Microsoft services" is enabled. Details here: https://techcommunity.microsoft.com/t5/azure-synapse-analytics/how-to-set-up-private-link-with-high-throughput-data-ingestion/ba-p/1594440.

Ideally loading should access the storage account following the storage account's network configurations (i.e. using the Private endpoint)