Found It!
The offending IP originates from:
inetnum: 94.156.64.0 - 94.156.71.254
netname: Fuse_Hostingweb-NET
descr: Fuse Hosting Web
org: ORG-FA1221-RIPE
country: US
admin-c: NA6844-RIPE
tech-c: NA6844-RIPE
mnt-domains: fusehosting-mnt
mnt-routes: fusehosting-mnt
status: ASSIGNED PA
mnt-by: MNT-NETERRA
created: 2024-10-31T11:31:22Z
last-modified: 2024-10-31T11:31:22Z
source: RIPE
And as surmised, it was part of a net-block now-excluded by the firewall since the last renewal due to repeated distributed attacks originating within that net-block over the past 30 days. I'll whitelist the individual address used by the challenge and suspect all will go well on the next update (unless, of course, another offending net-block between now and then also contains another of your challenge IPs :)
Thank you again for your help!
(now as to why a US listed net-block is being returned through a RIPE query... because inquiring minds just gotta know...)