what you mentioned in previous posts is more useful if you want for example to prevent a brute force attack on login.php (unnecessary use of CPU and other resources) or some other file/path, also against spam.
It’s another thing when you have something between the visitor and the hosting (origin)
for example Cloudflare, then the CF can decide whether to allow traffic to your origin or block it.
CF has one advantage because it covers millions of domains
and their AI then easily learns to recognize the attack and quickly take countermeasures
For some basic actions on CF you can be guided by this
The problem is bigger when infected devices can store cookies and execute JS
and that trend is growing
For example on my CF 20% of unwanted traffic successfully passes the JS challenge
so there is no one rule that would cover everything
You need to have a few rings of defense
and know your website and its weaknesses and then well configure FW and the rest.