I think that maybe this vulnerability report places too much emphasis on 'Service Tags' but misses where issues actually reside. Service tags are the (only reliable?) way to allow common Azure services to access your resources. The problem is that these Azure services are publicly accessible and lack the access controls necessary to prevent misuse.

The example given is the use of 'Application Insights' to monitor internal resources.A perfectly reasonable thing to want to do - application monitoring is boring but necessary, and if there is an out of the box solution to do it then why not use that?
In the olden days, I would spin up an instance of my monitoring tool of choice and lock it down so that only I have access - no problem.

However, customers are encouraged to use a single, globally accessible 'Application Insights' system and - if there is no facility in Application Insights to say 'only allow tests of my server to originate from me' then you will get this problem. The same applies for all of the other identified affected services.
No amount of fiddling around with service tags, nsgs or the like can fix this.

Typically, MS tries to shift the blame onto the customer by saying that they should implement authentication on each service. Indeed they should, but in the real world that is - sadly - not always possible and that is the reason you hide them in a private network in the first place.
The solution is to use granular access control capabilities in the listed applications (if such a facility exists), or stop using them with private resources (or create your own private instance of them if that is possible)

https://www.tenable.com/blog/these-services-shall-not-pass-abusing-service-tags-to-bypass-azure-firewall-rules-customer