If my understanding of your environment is correct, then you have an Azure Front Door with WAF that points to an Azure CDN.
Just so you know, Azure Front Door contains a basic CDN, and Azure CDN can have a WAF. Depending upon what you are trying to accomplish, you might be able to remove one of those services.
To have your CDN only accept requests that route through your Azure Front Door, you can deny requests that are not from the IP ranges of accepted requests to only come from Azure Front Door's IP Range. Azure Front Door's IP Range is found inside the general Azure Datacenter's IP Ranges Here. You can also deny the request if it does not contain one of the AFD specific headers.
Azure CDN can filter the requests using the standard rules engine.