Azure Storage Accounts can have their access restricted by IP address or an Azure virtual network (with a Microsoft.Storage service endpoint). When this is done, the storage resource will only accept connections from those designated origins. This covers data operations (read, write, etc.) and control operations (create new container, etc.); I'm calling these the "data" and "management" planes, respectively.
Is it possible to isolate these at a networking level (e.g., with a firewall), or can it only be done at a role level? For example, could I have a VM on the same network that can only do control operations, regardless of the roles of the principal?
The operations for Azure storage are split as you say, data and management. The data piece is through the storage API's where as the management goes through the Azure Resource Manager API's, which are the management API's used for all services.
Storage accounts have the concept of a firewall, where you can restrict what IP's can access the storage account, this covers the data side of things. If you blocked someone using this firewall then they will still be able to make management requests to ARM (assuming they have the rights).
Blocking access to ARM for the management side is much harder, and you are better looking at using permissions for this.