I had to investigate this today and it is very frustrating. I'll add the supporting documentation and what to do to get it to work. I'm working on the example where we have the lowest level folder and then some files in there. The users should be able to read the folder and read/write 1 file

ACLs - This is the basic how to

Blob Storage RestAPI - It helps to be generally aware of how the URLs are formed

Known Issues with Storage Explorer - This was the key for me figuring it out

After assigning the ACLs, you then go to the folder level > Right click > Copy URL. Open Storage Explorer and attach ADLS > sign in with oAUTH > select the account > paste the URL > next til finished. This will then attach the specific folder within ADLS. You can't just look for the storage account normally.