WAF support for HTTP APIs is currently not supported.
As a workaround, you can front the API Gateway with Amazon CloudFront and enable WAF on CloudFront.
As ben_c mentioned you can put CloudFront in front of your API.
To prevent the direct call of your API and to only allow CloudFront to call your API is described in the Well-Architected Labs and follows best practices. https://wellarchitectedlabs.com/security/300_labs/300_multilayered_api_security_with_cognito_and_waf/3_prevent_requests_from_accessing_api_directly/
In general it is handled by inserting a specific header in CloudFront and check this header during the call.
HTTP API does not support WAF. If you need it, use REST APIs. If you still want to use HTTP API, you should follow the recommendations done by others which is to use a CloudFront distribution in front of your API and make sure the request is coming from there.
API Gateway access log still get requests blocked by WAFasked 8 months ago
Protect HTTP Api Gateway with WAF
Protect and secure http API GWAccepted Answer
protect http API GW when CF has S3 as origin
Passing HTTP Headers from API Gateway HTTP API to Step Function?asked 8 months ago
Return a custom header from lambda authorizer in API-gateway (HTTP api)asked 6 months ago
secure API GW with WAF
API HTTP Gateway path rewrite questionAccepted Answerasked 5 months ago
API Gateway - Gateway response - HTTP APIAccepted Answerasked 2 years ago
API Key injection for http API