Unfortunately, I think you have a few misunderstandings about how Shared Access Signatures.
A shared access signature is (simply put) a digitally signed permissions slip to access a set of resources. The signature if based on the parameters (area, type of access, start/end time, etc...) that are included as query string parameters in the URL. We then generate and append a 'signature' which is a hash of these parameters and the "secret key" for the storage account.
As such, the only real differentiation between two signatures is the parameters used in its creation.
Once a signature it generated, it can't be revoked. However, if the signature was based on a storage account access policy (basically a short-cut for assigning share access signature parameters), the signature will be invalid if that policy is removed. This is because the policy was a parameter associated with the signature and once that policy has been removed, the signature of course can't be validated.
Now you might think you could then set up different policies for each customer. But... there's a limit on the number of policies that can be associated with a storage account (5 last I checked). So this really doesn't scale to support multi-tenant solutions.
Now another key point is that the "key" mentioned in the code you shared is the WA Storage Account key. There's only 2 of these and they're generated for you by the system. These should NEVER be shared with anyone that doesn't need full administrative rights to the entire storage account. What you're really sharing with your customers is the signature we discussed previously.
All this said, and without knowing more details about your scenario requirements, I'd recommend you explore using a façade or gatekeeper style pattern. With the façade, you stand up a service that authenticates/authorizing requests and then retrieves the requested content from storage. This approach allows you to introduce concepts like caching into the calls as well as the aggregation of results for more complex request types. A gatekeeper pattern in this case would also be fairly simple, generating shorter time shared access signatures (hours/days instead of weeks/months). The user would present some type of credential which you could then compare against your DB to determine if they get a shared access signature or not.
I hope this helps. :)