Token Authentication working priority

Hi,

  1. I follow this guide link to config more than one Token Authentication with Firewall Rule,like below images , if I create two same path but with different expiration time , which one hits first ?
  2. If I create three Firewall Rules path as follows: test.domain.com/download/* and test.domain.com/download/.jpg and test.domain.com/download/image/.jpg, which one hits first?
  3. Regarding the previous question, how to generate tokens with three Firewall Rules and difference HMAC keys ?
  4. Like example path: test.domain.com/download/cat.jpg?verify=1484063787-9JQB8vP1z0yc5DEBnH6JGWM3mBmvIeMrnnxFi3WtJLE%3D , if user copy is path to another user, should pass Firewall Rules check, how will cloudflare avoid or this situation?