Specifying SAS Token Authorization header with Azure REST API

There are tons of posts on SO about how the Authorization header is not needed when using a SAS token as part of the URI. Those posts are correct, and the following code works:

    Dim oRequest
    Dim sURL
    Dim SASToken
    SASToken = "sv=2021-10-04&ss=btqf&srt=sco&st=2023-01-10T14%3A23%3A49Z&se=2024-01-10T14%3A23%3A00Z&sp=rwdxftlacup&sig=MySigButNotNotMyRealSig%3D"
    sURL = "https://myaccount.queue.core.windows.net/myqueue/messages?peekonly=true&numofmessages=32&" & SASToken

    Set oRequest = CreateObject("MSXML2.XMLHTTP.6.0")
    oRequest.Open "GET", sURL
    oRequest.setRequestHeader "x-ms-date", getUTC
    oRequest.Send
    Wscript.Echo oRequest.Status, oRequest.statusText

Output:
    200          OK

However, I have an IoT device that limits the URL length to 288 characters. The shortest I've been able to make my URI with my SAS Token tacked on is 320 characters. Short of making my blobs public, I think my only option is to actually use the Authorization header, but just putting the Sas token in the Authorization header does not work.

    Dim oRequest
    Dim sURL
    Dim SASToken
    SASToken = "sv=2021-10-04&ss=btqf&srt=sco&st=2023-01-10T14%3A23%3A49Z&se=2024-01-10T14%3A23%3A00Z&sp=rwdxftlacup&sig=MySigButNotNotMyRealSig%3D"
    sURL = "https://myaccount.queue.core.windows.net/myqueue/messages?peekonly=true&numofmessages=32&" & SASToken

    Set oRequest = CreateObject("MSXML2.XMLHTTP.6.0")
    oRequest.Open "GET", sURL
    oRequest.setRequestHeader "x-ms-date", getUTC
    oRequest.setRequestHeader "Authorization", "SharedAccessSignature " & SASToken
    oRequest.Send
    Wscript.Echo oRequest.Status, oRequest.statusText

Output:
     400      Authentication information is not given in the correct format. 
              Check the value of Authorization header.

I have seen some code that generates a SHA256 hash of information and uses that in the header, but my IoT device cannot generate this.

Unfortunately you can't pass a SAS token in authorization header. It will have to be a part of your request URL.

However, there are a few things you can do to reduce your request URL length.

• Use Service SAS for the queue instead of Account SAS. That will remove ss=btqf&srt=sco from the SAS token. Instead you will get sr=q.
• See if you can omit SAS start date (st) as it is optional. If SAS start date is not included in the SAS token, then the SAS token becomes effective immediately.
• Use only the permissions that you need. Right now your SAS token has all permissions. By restricting the permissions to only the required ones, you can further reduce the request URL length. Since you're just peeking at the messages, all you need is read permission (sp=r).
• See if you can move your SAS token related parameters in an access policy. That way your SAS token will only have signed version, access policy and the signature parameters.