The question states "Which of the following would you use to block inbound network traffic from a known IP address range from reaching your VPC subnet?" The answers have WAF and NACL. According to the WAF FAQ it states you can block by IP addresses, so couldn’t it be both? NACL and WAF
WAF is not used to block access to a subnet, but to an application hosted in API GW , ALB etc. Even if you block an IP using WAF, it can still reach the subnet if the protocol used is not HTTP/S.