I am trying to access blob in Azure. I can access it using the blobClient.DownloadToAsync call as shown in the GetAsync method below. But I cannot access it if I use the blobServiceClient.GetUserDelegationKeyAsync as shown in the CreateSasTokenUri shown below

public class AppBlobService  
        private readonly string _connectionString;  
        public AppBlobService(string connectionString)  
            _connectionString = connectionString;  
        public async Task<Uri?> CreateSasTokenUri(string containerName, string blobName)  
            var blobServiceClient = new BlobServiceClient(_connectionString);  
            var containerClient = blobServiceClient.GetBlobContainerClient(containerName);  
            var blobClient = containerClient.GetBlobClient(blobName);  
            Uri ret = null;  
                if (await blobClient.ExistsAsync())  
                    ret = await GetUserDelegationSasBlob(blobClient);  
            catch (Exception e)  
                Console.WriteLine(e);  
            return ret;  
        private async Task<Uri> GetUserDelegationSasBlob(BlobClient blobClient)  
            BlobServiceClient blobServiceClient =  
                blobClient.GetParentBlobContainerClient().GetParentBlobServiceClient();  
            Azure.Storage.Blobs.Models.UserDelegationKey userDelegationKey =  
                await blobServiceClient.GetUserDelegationKeyAsync(DateTimeOffset.UtcNow,  
                    DateTimeOffset.UtcNow.AddDays(7));  
            BlobSasBuilder sasBuilder = new BlobSasBuilder()  
                BlobContainerName = blobClient.BlobContainerName,  
                BlobName = blobClient.Name,  
                Resource = "b",  
                StartsOn = DateTimeOffset.UtcNow,  
                ExpiresOn = DateTimeOffset.UtcNow.AddDays(7)  
            sasBuilder.SetPermissions(BlobSasPermissions.Read );  
            BlobUriBuilder blobUriBuilder = new BlobUriBuilder(blobClient.Uri)  
                Sas = sasBuilder.ToSasQueryParameters(userDelegationKey,  
                    blobServiceClient.AccountName)  
            return blobUriBuilder.ToUri();  
        public async Task<BlobEntity> GetAsync(string containerName, string blobName)  
            var ret = new BlobEntity(containerName, blobName);  
            var blobServiceClient = new BlobServiceClient(_connectionString);  
            var containerClient = blobServiceClient.GetBlobContainerClient(containerName);  
            var blobClient = containerClient.GetBlobClient(blobName);  
            if (await blobClient.ExistsAsync())  
                var ms = new MemoryStream();  
                await blobClient.DownloadToAsync(ms);  
                ret.DataStream = ms;  
            return ret;  
The exception that I receive when the execution reaches line 34 (in the code above) at blobServiceClient.GetUserDelegationKeyAsync is:    
Status: 403 (Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.)    

ErrorCode: AuthenticationFailed    
Additional Information:    

AuthenticationErrorDetail: Only authentication scheme Bearer is supported    
How to correctly get a Uri to the blob file that the client browser can directly use to read the file? The blob file is an HTML whose Url will be used in an Iframe src property.    
						
@BlazorDevCanada   We apologize for the delay in responding to your issue.    
Please note that GetUserDelegation only supports AD Authorization and Azure AD only supports Bearer Tokens. Therefore, you need to use Bearer Tokens for authentication in this case.     
Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!    
Remember:    
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.    
Want a reminder to come back and check responses? Here is how to subscribe to a notification.    
												
The application that is trying to execute the GetUserDelegationKeyAsync is a registered app in one AD B2C directory. But the storage account is in a different directory.  I can get access to the blob using connection string.  But I cannot grant the registered app permissions to the azure account that resides in a different directory because the API permissions on the registered app do not show “Azure Storage” under the “Microsoft APIs”    
Is there a way to do this?
												
@BlazorDevCanada   The only way to do this then since the App Registration (security principal) is in a B2C tenant is to use the Delegated permission - user_impersonation, this'll give the B2C App the same permissions as the signed in user.    
Please refer to this document for more details- https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory#use-oauth-access-tokens-for-authentication    
Hope this helps. Please do let me know if you need any further assistance. Thank you!