Let’s Encrypt policies and Internet tech standards don’t prevent this, but a practical question may be whether the Sucuri device blocks the method that you would otherwise use to prove your control over the domain name in order to obtain the certificate. The most popular methods of proving control over the domain name involve receiving inbound connections (on port 80 or port 443) from the Let’s Encrypt certificate authority. Particular information presented in response to these connections by your Let’s Encrypt client helps to confirm that the person who requested the certificate is the same person who controls the domain name.
If the Sucuri device blocks or interferes with any of these connections, the verification process might not succeed. In that case, you’ll need to get it not to interfere that way, or else use a different verification method.
However, there is no other reason preventing the issuance and use of a Let’s Encrypt certificate for a back-end server behind a WAF device.