Fabric: Permissions Required for External Application to Write to OneLake

Question

I have a Microsoft Fabric workspace containing a lakehouse. I have a requirement to export data from an external finance system and push the resultant CSV files directly into the 'Files' area of the lakehouse. This is being done using a Service Principal, since Fabric does not support SAS URI or Account key authorization.

I have created the Service Principal, given it a secret, added it to a security group, and granted the SP Contributor access on the workspace containing the lakehouse.

I have also enabled the necessary permissions in Fabric (Service principals can use Fabric APIs, Users can access data stored in OneLake with apps external to Fabric).

For the API permissions in Azure, the Service Principal has Tenant.ReadWrite.All and I have granted admin consent.

I am testing the upload of a file via PowerShell but it is returning an HTTP 403 error (Forbidden)

User is not authorized to perform current operation for workspace '{workspace GUID}' and artifact '{lakehouse GUID}'

StorageException,Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.NewAzDataLakeGen2ItemCommand

The fact that it is returning a Storage exception suggests I'm missing some permissions and I wonder if my Service Principal needs additional permissions? What delegated permissions do I need? If this was an ADLS Gen2 account, I'd simply add the Service Principal into the Storage Blob Data Contributor RBAC role on the account, but you don't have that option with Fabric.

Update: I tried the file upload via AzCopy and looking at the detailed logs it gave me an "Incorrect Endpoint" error: