Once you have the ACR ID and your web app’s identity’s principal ID, you should grant your web app permission to pull images from your ACR. With the command below, you can assign the least privilege access to your web app to to download images.
az role assignment create \
--assignee $PRINCIPAL_ID \
--scope $ACR_ID \
--role AcrPull
{
"id": "/subscriptions/<redacted>/resourceGroups/acr-task-demo/providers/Microsoft.ContainerRegistry/registries/acre357b213/providers/Microsoft.Authorization/roleAssignments/<redacted>",
"name": "<redacted>",
"principalId": "<redacted>",
"principalType": "ServicePrincipal",
"resourceGroup": "acr-task-demo",
"roleDefinitionId": "/subscriptions/<redacted>/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"scope": "/subscriptions/<redacted>/resourceGroups/acr-task-demo/providers/Microsoft.ContainerRegistry/registries/acre357b213",
"type": "Microsoft.Authorization/roleAssignments"
}