Hi Juan,
Because the frontend is a *Javascript application* (built on Angular.io), it runs in a user's browser by default (except when Angular's server-side rendering is triggered).
This means that (at least some of the time) your users are running the frontend in their browser and only sending requests to your backend (REST API).
This is why trying to set "rest" to "localhost" won't work. Because, in that scenario, your users are running the frontend in their browser and it's trying to connect to "localhost" (which would be the user's own machine, and *not* your REST API).
This is exactly why the REST API always needs to be configured as a publicly available URL...because all your users are sending requests to the REST API directly whenever they are running the UI in their browser.
In terms of whether the frontend needs to send every request through your WAF (web application firewall)...that's harder to answer. If every external request is going through the WAF, then these requests will need to as well. But, maybe there's some way to change your firewall settings to "trust" requests coming from your frontend? I don't know the answer here, but maybe someone else on this list may have ideas if they've dealt with this before.
Hopefully those give you a few ideas to start with. Maybe others on this list will have additional suggestions.
Tim