Any ISV that provides WAF rules to AWS is subject to how the AWS WAF engine and HTTP work. When a file is uploaded via HTTP it is attached to the HTTP POST request as the body. This could be a multipart form, raw content or a URL link to upload. The AWS WAF engine is capable of scanning the body up to the size limts.
What was logged in the terminating rule matching details - "terminatingRuleMatchDetails": ,?