WAF, Rate-Limiting Rules and Cloudflare-provided proxy-services

What is the name of the domain?

not domain-specific

What is the issue you’re encountering

Is Cloudflare making its WAF useless?

What steps have you taken to resolve the issue?

For clients that are using CF-provided proxies, e.g. WARP or Apple Privacy Relay, the customer will not receive the original client IP.

Is there some additional information applied during WAF rate limiting, or do these services function like normal anonymizing VPNs, so that you can either block all WARP traffic or none of it?

How does Cloudflare ensure that these services are not abused by attackers which become unblockable unless you block all traffic from these services?