I guess that the question is how to protect your API. There is not much you can do to protect those besides adding strict rate limit policies that adapt to your application.
You need to set the protection level of the API endpoint to low to ensure that no request receives a JS Challenge.
Thus being said, I’m not sure if firewall rules would override the under attack mode (so that your API endpoint is still in low security); I’d guess not.
Be advised that having UAM enabled constantly is, most of the time, a bad practice. It would be best to think of UAM as a last resource to mitigate an attack while you analyze the attack patterns.
Finally, you can make reaching the API endpoint slightly harder by adding your own user agent that only your app knows.
While this is trivial to bypass if the attacker has access to your application(they can dump the user agent), it adds resilience against attacks that otherwise would be null.
I hope that helps!