Why can't I be intercepted on Awaf by configuring Request Content AND does not contain string? What's the reason?

It looks like your requirement is to allow only two URLs in your ASM policy to protect an API, however what you are trying to do is to write a an attack signature which will block all requests and only allow API ones. This is inefficient and difficult to configure and debug as you may have noticed.

A better and cleaner approach would be to simply create those two API URLs (ending *r_code and *r_key) as the only allowed URLs in the policy (e.g. delete the * wildcard) and make sure that 'Illegal URL' is set to 'Block' - that's it! All other requests will be blocked automatically without a need to write and maintain custom Attack Signatures.