Azure WAF custom rule to only allow function URLs for Azure Functions, a second match criteria uses the host request header, replace {{ request_headers:host }} with value as a string type.

waf-azure-functions-allow-function-url-only.json

{
  "action": "Block",
  "matchConditions": [
    {
      "matchValues": [
        "\\/api\\/([^?&\\n]+)\\?code=([A-Za-z0-9+/=]+)"
      ],
      "matchVariables": [
        {
          "variableName": "RequestUri"
        }
      ],
      "negationConditon": true,
      "operator": "Regex",
      "transforms": []
    },
    {
      "matchValues": [
        "{{ request_headers:host }}"
      ],
      "matchVariables": [
        {
          "selector": "host",
          "variableName": "RequestHeaders"
        }
      ],
      "negationConditon": false,
      "operator": "Equal",
      "transforms": []
    }
  ],
  "name": "AzureFunctionsAllowFuntionURLOnly",
  "priority": 100,
  "ruleType": "MatchRule",
  "state": "Enabled"
}