SAS token management/renewal for use by Logic App

[Squarepour]

Hi,
My Logic App is currently configured to upload a newly received email to blob storage in .eml format. While in development, I simply copied the SAS token manually from the blob storage container UI into the URI of my HTTP PUT action in Logic Apps. That Action worked fine and the blob is uploaded to storage accordingly. However, as I'm prepping to move to production I know that I can't realistically copy/paste a SAS token on a regular basis to keep the system alive. From a high level, for Logic App workflows that include HTTP PUT actions (that require integrated SAS token) then how are folks doing this? I know I can have an Azure Function that renews the SAS token. However, I'm a bit lost when it comes to getting the Azure Function (via .NET Azure SDK) to upload that SAS token into Application Settings on the Logic App. I'm dabbling with the Azure.ResourceManager.Logic class but I'm lost. I know that Azure Function can push the SAS token to a key vault, but I think it would introduce latency to have the logic app query the key vault for every execution of the workflow. It would be simpler/faster for the workflow to pull the value from Application Settings.

What do you think? Should I try to put the SAS token in Application Settings? If I can't get an Azure Function to handle it, could a separate Logic App workflow run hourly to pull the latest SAS token from the key vault and store in Application Settings?

Note that I'm uploading the .eml blob with Metadata which precludes me from using the regular blob storage action. I don't think there's another blob storage action that can edit/create metadata on existing blob storage files. I really wish I could upload blobs with metadata to blob storage using just the IAM security roles but I can't find a way to do that.
Additionally, hard coding the storage container key into my workflow just seems like a bad idea.

Thanks for your help! I'm new to all this and your insight is greatly appreciated.