I'm not seeing a better way than what you presented @Jason. I gave my service principal the Storage Blob Data Reader role and then created a condition (via the "Code" Editor type) to only allow the Blob.List SubOperation.
(
(
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND SubOperationMatches{'Blob.List'})
)
)
(My other screenshots look like Jason's)
Then I tested using
# Authenticate
az login --service-principal -u $clientid -p $clientsecret --tenant $tenant
# Unsuccessful attempt to download. (az blob storage show is the same)
az storage blob download --container-name $container --name test.txt --subscription $subscriptionid --account-name $account
# Successful attempt to view the lastModified property
az storage blob list --container-name $container --account-name $account --query "[].properties.lastModified" | jq '.[]' -r