Yep, me to, just added a small change to the Firewall Rule like if request not from my home country to the wp-login, block it → addition to that, next Firewall Rule after it challenges (JS challenge), meaning I allow only requests to wp-login from my country but all of the requests are challenged + using Google ReCaptcha on the wp-login form (another layer of protection), and using Rate Limiting rule to protect my wp-login 
- advantage: small country … if someone wants to do some bad harm from my country, it’s attempts are logged at the origin host and blocked …
In terms of the IP, someone could be smart and try out to access it using a VPN by selecting my country, but (unfortunately for them) I’ve already blocked all of the providers so far, that way they are blocked in advance in case someone wants to try that way to sneak up 
- you can add a criteria to your existing one for example,
if http request path wp-login.php and not ip.src Your_IPif that’s appropriate way for you (if you have got a static IP or using a VPN service with always the same IP)
Either that way but be careful (take a look at the post from below), or as I already mentioned using Cloudflare Access:
In terms of using Cloudflare WARP and blocking/challenging users using them to access your website, I might not be so experienced as far as if you challenge or block Cloudflare, you could end up having other issues.
Kindly and patiently wait for a reply from someone else being more experienced in this field. I believe and would suggest @sandro who might have some great tips and tricks to share for the security part.