Instead of WAF, just build a custom web application server that only responds to requests with valid data that pertains to the app at hand and only with valid credentials.

The idea is to severely restrict the available attack surface.