I can think of 2 possible solutions for your situation:
1. Custom WAF rule based on User Agent: Now that you have identified the User Agent of the requests doing the attack, you can implement a custom WAF rule filtering traffic by the user agent that belongs to the Chrome-Lighthouse requests. Then you can set the action to Managed Challenged. The rule should look similar to this:
You can always add more expressions to have control over the requests that are going to be Challenged.
You can read more information in our official documentation:
Note: You can block those IPs directly using a Custom WAF Rule, but the attacked can easily get another pool of IPs and your rule is not longer going to work.
2. Rate Limiting Rule: With this option you can rate limit the amount of requests made by individual IP’s. You can filter the traffic here as well by Hostname, URI, Full URI, URI Query String, URI Path, etc.
A very generic Rate Limiting Rule will look something like this: