It seems that in order to do the List command using the code I was using the search tags function even though I am not providing any tags.

The bottom of this article (https://learn.microsoft.com/en-us/rest/api/storageservices/list-blobs?tabs=microsoft-entra-id) shows that to do this requires a different permission "Storage Blob Data Owner" rather than just "Storage Blob Data Reader"

Assigning this to the Group my user is in at the top level of the storage account doesn't work, but assigning it to the Service Principle that the code is using for authentication does work.