How to manage WAF with cloudfront signed cookie

Hi there. There is my architecture:

WAF [Check for some cookies exists, else, redirect to login] -->

Cloudfront with behaviors with signed cookie for trust key groups and cache static resources -->

API GW -->

LB -->

EKS

Everything worked find until we integrated the signed cookie with key group trust and then, it's seems that the signed cookie key validation happens before the WAF staff, so we get 403 at any case, before the login itself.

Any idea how to manage that the WAF will occurs before the CF signed cookie validation?

Thanks.