Under Attack - Whitelist API Path

My web application is currently receiving DDoS bursts of ~1,000,000 requests at a time.

If I enable “Under Attack” mode on my domain example.com, this does a blanket challenge that blocks API and WSS requests to https://api.example.com and wss://api.example.com. Can both of those paths be whitelisted from the under attack mode with a firewall rule(s)?

I was trying to also achieve this result with firewall rules earlier:
Rule #1: (http.request.uri contains "https://api.example.com") or (http.request.uri contains "wss://api.example.com") - ALLOW

Rule #2: (http.request.uri contains "https://example.com") or (http.request.uri contains "https://app.example.com") - JS CHALLENGE

The idea here was to challenge all requests to app.example.com or example.com with rule #2, but have rule #1 bypass this if they’re trying to request api.example.com or wss://api.example.com. This seemed to not challenge users requesting the main webpage(s).

I was ultimately able to achieve this result by using page rules by having requests to example.com and api.example.com set the security level to “I’m under attack”. This still leaves vulnerabilities with random subdomains like test.example.com being forwarded to example.com as a catchall.

Is anyone able to help show some insight on why the firewall URI rules were not working properly? Or if there’s a better way to go about this?