When life gives you lemons:
I found it was possible to bypass the WAF by using the X-Forwarded-For header. More impactful was that it was possible to replay the same malformed request with the X-Forwarded-For header, resulting in DoS for arbitrary IPs. https://t.co/BYucZIs0UO