I have created Blob container and associated a CDN and everything is okay. I want to achieve following.
If I make the container private, even CDN is not able to access the content. If I make container public, content is available for direct access as well.
In AWS world its quite possible with access policy.
This is possible with a private container and a SAS url. When a customer requests the CDN url with the sas key, the CDN will request the asset from blob using the SAS url if it is not already cached.
If you wish to keep the SAS token hidden from the end customer completely, you can use a Verizon Premium profile and use a URL rewrite rule to add the SAS token from the CDN side.
Additional information on SAS: https://learn.microsoft.com/en-us/azure/storage/storage-dotnet-shared-access-signature-part-1#what-is-a-shared-access-signature
Additional information on CDN rewrite: https://learn.microsoft.com/en-us/azure/cdn/cdn-rules-engine-reference-features#url-rewrite