I observed that if we do not choose to use the primary/secondary keys
to authenticate with the storage account and use the account level SAS
tokens as an authentication mechanism then I can not create the Blob
container level SAS tokens using Stored Access Signature. Why is that?
This is by design. A container level SAS only lets you work at the container level where you can perform operations on the blobs inside that container. Creation of a blob container is an account level activity and thus you would need to use an Account SAS. At this time, Account SAS do not have a concept of Shared Access Policy.
I do not want to provide access to my service to the account level
keys and want to create SAS tokens to implement the RBAC at the
runtime, is there any way for same?
Yes, there is. Azure Blob Storage support Azure AD based authentication/authorization and has support for Role-based Access Control (RBAC) available in Azure Subscription. You can assign granular RBAC roles to your users in Azure AD and they will be able to perform only the operations allowed by their roles. You can read more about it here: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad.
You can find more details about various authorization options available in Azure Storage here: https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-requests-to-azure-storage.
