On ModSecurity, Given some list of cities or countries is blocked (as at the bottom), however wanting to White List Lets Encrypt (that checks the .well-known directory) on such manually configured rule, would adding the below lines, within such rule, properly white list LE:
Allow requests for /.well-known/acme-challenge/ from anywhere indeed. LE does not publish the IP addresses used for validation (that would help attackers greatly) and validations are done from up to 4 different vantage points.
However, you already seem to be doing the correct thing, right? What exactly do you require help with? Isn't it working properly?
First, I personally would not bother with such an approach.
But, if you must, I would not check user-agent and just use URI and city. As to the syntax for that product I have no idea. These are just general comments:
You know the LE server IP's may change per their FAQ. My personal experience is that geo databases change too so checking city names is unreliable.
To be sure that Let's Encrypt http challenges are white listed you should pass through any requests for the .well-known/acme-challenge URI. Or use the DNS challenge
Blocking "AWS Cities" seems problematic but it's your call. For example, I use test servers on AWS when inspecting people's sites when helping on this forum. A block such as this might lead me to wrong conclusions and bad advice. And, other helpful sites that are hosted on AWS might have problems too (like html, ssl or server testers ... things like that).
If you have traffic stress from such attacks maybe a CDN like Cloudflare is a better solution.