2. Allow Azure Services and resources to access this server setting set to on/off?
I always set this to off. I do not like it ON.
Why? Because I like to control things via vnets (maybe IPs if really needed – it depends on your solution). Nowadays you can use private endpoint connections which allow connections from within a vnet to a private IP. Sure, you may want to use IP addresses, if you do then I suggest database level firewall rules over server level, especially if you use failover groups.
There are several good ones here.