My understanding from the “Overview of the Windows CDN” page on MSDN is that only blobs that are publically available can be cached with the Windows Azure CDN. To make a blob publically available for anonymous access, you must denote its container as public. Once you do so, all blobs within that container will be available for anonymous read access.
If the public access to the container is set to enable read access then any anonymous using having the url to the blob container can read all blobs in that container. READ access does not automatically give WRITE, DELETE, or LIST access to the container.
If the blob container is public, then also creating a shared access signature or stored access policy won’t prevent that public access. If you want to control access to the container using shared access signature or stored access policy then you must set public access to OFF. This is discussed in “Controlling Access to Windows Azure Blob Containers with Java” and elsewhere on MSDN.