This morning I sit down with a freshly booted brain, and I've fixed it. You're right! ... The list on the right does not list apps, so I started typing "S u b..." into the search box and my app with that name prefix appears, and I can give the role okay. Now I'm confused ... did I not previously start typing into the search box? I can't believe I wouldn't have tried that in recent days, but maybe during all the fumbling around I didn't ... I dunno.

I assigned the role Reader to my app, but it died with permission failure trying to ListKeys (list the storage account keys). It's not obvious which Role I should use, so I gave-up and made it an Owner role and now it works (with overkill).