Is the cloned system also behind the WAF?
If the WAF is the main difference for external versus internal users, that sounds like a prime candidate for the culprit. Nextcloud doesn’t suggest WAFs in front (which is why the support template asks about mod_security for example), because it’ often leads to problems like this.
Also, can you please show the Web Browser + Nextcloud logs as described in the support template.
Lastly, screenshots?