May I ask have you checked and do you see any logged Firewall Events being blocked?
If so, you could whitelist / allow the IP(s) of the Payment Gateway for further cases (if they are always the same, for example).
From the screenshot above there is a Service: Bot Fight Mode.
Also, may I ask what is the expression of the 3rd rule JS Challenge?
With the 1st you allow it, but the 3rd one is challengeing it, obviously to me.
Or, otherwise, due to Bot Fight Mode, the AMAZON-AES due to it’s reputation is being suspicious and challenged that way.