Azure WAF custom rule to block all PHP requests

I have a Application Gateway with WAF in front of several applications (WebAPI, FunctionApp).
My application are all written for .NET6+.
I see in my logs a lot of requests to PHP files. Most likely these are scripts to check for vulnerabilities.

I want to block all PHP requests in the Application Gateway / WAF so my application don't need to worry about them and my logs are no longer cluttered with these requests.

So I created a YAML pipeline script to add the policy:

- task: AzureCLI@2
  displayName: Add application gateway WAF policy custom rule
  inputs:
    azureSubscription: 'MySub'
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: >
      az network application-gateway waf-policy custom-rule create 
      --name BlockPhpExtension 
      -g MyRg 
      --policy-name AGDefault-wafpol
      --action Block 
      --priority 10 
      --rule-type MatchRule

- task: AzureCLI@2
  displayName: Add application gateway WAF policy custom rule match-condition
  inputs:
    azureSubscription: 'MySub'
    scriptType: 'pscore'
    scriptLocation: 'inlineScript'
    inlineScript: >
      az network application-gateway waf-policy custom-rule match-condition add 
      --resource-group MyRg 
      --policy-name AGDefault-wafpol 
      --name BlockPhpExtension 
      --match-variables RequestUri --operator EndsWith --values .php --transform lowercase

When I look at the custom rules in Azure Portal it seems the rule is correct:

But when I look at the logging of my application, I still see PHP requests:

The rule was created more than 16 hours ago and the list of PHP requests is from less than 4 hours ago.

It seems I'm missing something.

I changed the condition from EndsWith '.php' to contains '.php' and now it seems to be working.