I can suggest the following steps to further investigate the issue:
While connected to the Twingate client run an nslookup or dig to the hostname served by the WAF. What you’re looking for at this point is for the address to resolve to an IP in the CG-NAT range of 100.x
After a minute or so, go check the resource in the Twingate Admin Console and in the activity log you should see your connection attempt. If it is red it means it failed (the connector could not reach the resource), if it is green, it means the connector was able to reach the resource.
If the first step resolves to the 100.x range and the second one shows a successful (green) connection then it would suggest the WAF is improperly configured. Either it has not been set to allow the correct exit IP of the Twingate connector in your network or there is some other reason for it to block the connection.
I hope the above helps, please let us know how you get on with this.