Create a custom role - action permission overwrites data actions
The Custom Role allows you to set-up data action rights, like read, write, delete, create. But in order to access these roles via the Azure portal, the Microsoft.Storage/storageAccounts/listKeys/action has to be allowed. This necessary right "Microsoft.Storage/storageAccounts/listKeys/action" to list the storage keys overrules everything else and you have always full access, independently whether one permits read only under "data action" For me this is clearly a significant bug in the architecture, as it seems that one cannot restrict any access to the file storage via web, either one has full access or no access, but in creating this custom roles it might lead the creator in the wrong area of trusting that the access is restricted, which is not true. Please try finding a solution where the "data action" is not generally overruled by another necessary setting.
Christian Beck commented