I implemented a micro-service model and each API is protected using bearer token authentication... no service logic is executed unless a valid OAuth token is provided as part of the request header.
What problem does using a Web Application Firewall to protect my APIs solve if only authenticated users are able to execute them?
Client id's and secrets can leak. Users can become disgruntled. The WAF protects you in a situation where an authenticated user is attacking/probing the system.