Web Application Firewalls a.k.a. WAF are garbage.
All the vendors, from the cheapest Cloudflare to "enterpise" like Imperva, Akamai, F5, Checkpoint, or Fortinet are just cheating with their customers by delivering 0 actual protection.
99.9% of WAF signatures are just RegExps written 10-15 years ago
To prove this, we put Twitter payloads with community bypasses to the CSV list you can check.
Don't trust WAF vendors, but test them.