Azure Front Door WAF ip restrictions for static web apps

I've been trying to implement Azure Front Door custom rules for IP restrictions on Azure Static Web Apps. So far I have:

Configured the static web app to support Front Door: https://learn.microsoft.com/en-us/azure/static-web-apps/front-door-manual
Configured domains, backends and routing for Front Door
Added WAF policy and custom rule for ip restrictions following this guidance: https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction

Everything else works just fine, except that the IP restriction rule seems to be blocking all traffic (or least the IP's it's supposed to let through). Similar rule with Geo locations works just fine. IP Restriction rule is:

Match type: IP address
Match variable: SocketAddr (tried with RemoteAddr as well, with same result)
Operation: Does not contain
IP range: List of X.X.X.X/32 that should go through.
Action: block

Logs show that traffic from IP's in IP range is indeed blocked by Front Door.

Has anyone managed to get such setup working or is there an apparent error in what I'm trying to do? We've checked the rule and logs with a colleague and can't spot any apparent errors, and the fact that blocking based on geo location works, leads me to believe that this scenario might not work yet with Front Door and Static Web Apps.

Some discussion I've been able to find:

Static Web App issue: https://github.com/Azure/static-web-apps/issues/373
Similar questions in here relating to Web Apps: How to configure Web Apps such that they cannot be accessed directly? (the mentioned header is implemented in static web app config)

Solution

A workaround can be to set rule 100 to allow that /32 IPs and then a specific deny any after it as 200.

Your rule looks ok so as long as you waited enough time for the confoguration to spread to all front doors ( up to 20-25 minutes ) it should work as per your expectations.