The query string params are not available on the URL until the url is requested. So when the download button is clicked, the full url is generated at that time. Otherwise the url of the asset is just like /photos/abc.jpg which is not accessible because container requires a valid shared access signature.
How can the files be cached while stored in the private azure blog storage when there is no shared access signature appended on the url? are you saying that we need to generate these unique query string params inside the workers? We can program against the Azure blob storage from within workers to generate shared access signature?
or are you saying that when that new URL is generated with query string params and accessed for the first time, it will then be cached? instead of cloudflare pre caching.