How to Configure AWS WAF Rules for Optimal Protection of a WhatsApp Bot-Based Front-End in AWS App Runner?

I'm currently developing an application hosted on AWS App Runner, where the front-end is a bot interfacing through WhatsApp. I'm considering implementing AWS WAF (Web Application Firewall) to safeguard my application from malicious bots and other security threats. However, I'm not entirely sure which AWS WAF rules would be most effective for this specific use case.

Here's what I'm contemplating:

1. Bad Bots Control: My primary concern is to protect my WhatsApp bot from other automated traffic that could disrupt its operations or pose security risks. Would the AWS WAF bot control features be sufficient for this, or should I consider additional measures?
2. PDF, RSS Traffic: The application doesn't interact with PDFs or RSS feeds. Should I configure AWS WAF rules to specifically block or monitor this type of traffic?
3. IP Reputation Rule Groups: How effective are the Amazon IP reputation list and Anonymous IP list in mitigating threats from known malicious sources in the context of a bot-based application?
4. Custom IP and path based rules.
5. Scope-Down Statements in WAF Rules: How can I effectively use scope-down statements to ensure the rules are focused and cost-efficient?

I'm seeking advice on the best practices for configuring AWS WAF rules in this scenario. Any insights or recommendations based on similar experiences would be greatly appreciated!