What does the X-Forwarded-For note in the docs mean?

As stated in documentation, $context.identity.sourceIp is the source IP address of the TCP connection making the request to API Gateway.

Whenever X-Forwarded-For header is available, the source IP would come from it, but we don't trust all entries in the header. We only trust the entry who made a call directly to endpoint.

If the call chain is like this,

ClientIp, \[proxyServer1, ..., proxyServerN], CloudFront/Regional  

proxyServerN would be used for the sourceIp address, when X-Forwarded-For header is available.

CloudFront adds itself to the X-Forwarded-For header but Regional endpoint API/Regional custom domain name does not add itself to the X-Forwarded-For header. Therefore, In case of CloudFront, IP address appended by CloudFront would not be used as sourceIp, but the IP of the last proxy prior to CloudFront IP in X-Forwarded-For header. In case of Regional, the last IP address in X-Forwarded-For header would be used as sourceIp.

Please ignore the warning in the documentation. The team is aware of it and the documentation would be updated.

I think the note is from this thread https://forums.aws.amazon.com/message.jspa?messageID=669697.
At that time, the value of $context.identity.sourceIp is came from X-Forwarded-For header but it is fixed now.
AWS team should remove that note.