URL Rewrite rules applied twice

We have a system where every build of our static site is deployed to S3 under a prefix taken from the Git commit, e.g. in a S3 bucket we have

4b8b0f9d84/index.html
4b8b0f9d84/js/dist.js
4b8b0f9d84/...more static files...
196f2ace24/index.html
196f2ace24/js/dist.js
196f2ace24/...more static files...

In Cloudflare we have a couple of URL rewrite rules - one which is a “pointer” rule which rewrites all request paths for files to have the prefix of the currently deployed version, for example requests for path /js/dist.js are rewritten to /4b8b0f9d84/js/dist.js where 4b8b0f9d84 is the version we want to have currently active/deployed. The second rule rewrites requests for other non-static paths to /4b8b0f9d84/index.html which loads our React app (which then interprets the path to determine what to show). It looks like the URL rewrite rules are being applied twice, as unless we have a condition in the first “pointer” rule expression to exclude paths starting with commit versions, we see paths like /4b8b0f9d84/4b8b0f9d84/index.html being requested from S3 (we can see the requested key in the 404 page from S3).
The double rewrite seems to be linked to having Workers running on the request as we have a worker which adds security-related headers like Content-Security-Policy to all responses, if we change the route for that worker from our.site/* to our.site/foo so it doesn’t match all requests, the URL rewrite rules are only applied once.
Is the doubled application of rewrite rules expected, and is there anywhere the specifics of this behaviour is documented? i.e. why does it happen and how is it related to Workers?