What is a difference between private endpoint and service endpoints?

For private endpoints, the Azure service gets a private IP assigned within you VNET. So from within your VNET you can access the Azure service via private IP and the traffic never flows through the Internet. When you send traffic to PaaS resource, it will always ensure traffic stays within your VNet.

For service endpoints, your VNET/subnet doesn't need the public IP in order to be accessed from the Azure service. Service endpoint adds a route to the VNET subnet routing table that routes the traffic to the Azure service over the Microsoft Azure network backbone. The source IP on the VNET is private, however traffic still leaves your VNet and hits the public endpoint of PaaS service.

With service endpoints, the source IP addresses of the virtual machines in the subnet for service traffic switches from using public IPv4 addresses to using private IPv4 addresses. Existing Azure service firewall rules using Azure public IP addresses will stop working with this switch. Please ensure Azure service firewall rules allow for this switch before setting up service endpoints. You may also experience temporary interruption to service traffic from this subnet while configuring service endpoints.