Upload large files to Azure Blob Storage using block uploads and generate SAS tokens for time-limited access

Verified steps

1. Authenticate to the storage account using a storage account key, a managed identity token (preferred in Azure-hosted workloads), or a service principal credential; initialize a BlobServiceClient with the account URL and credential
2. For files larger than 256 MiB (or to parallelize), use staged block uploads: split the file into blocks (up to 4000 MiB each, max 50,000 blocks), upload each block with Put Block (PUT /{container}/{blob}?comp=block&blockid={base64-id}), then commit with Put Block List (PUT /{container}/{blob}?comp=blocklist)
3. Stage blocks in parallel for throughput; the Azure SDK's upload_blob method with max_concurrency parameter handles this automatically for local file uploads
4. Generate a Service SAS token using BlobSasPermissions, an expiry time, and the account key or a user delegation key (preferred — does not embed the account key); encode the SAS and append it as a query string to the blob URL
5. For user delegation SAS, first obtain a UserDelegationKey via the storage service (valid up to 7 days) using a principal with the Storage Blob Delegator role; sign the SAS with this key instead of the account key
6. Set Content-Disposition and Cache-Control headers when generating the SAS or at upload time to control how browsers handle the download