xss_match_statement for and_statement

[gustavo-guerra-compasso]

What is the current behavior?
the module does not work with rule xss_match_statement inside and_statement.

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.

this the terraform code I am using:
default = [
{
name = "allow-svg-upload-modalities"
priority = "0"

  action = "allow"

  and_statement = {
    statements = [
      {
        geo_match_statement = {
          country_codes = ["NL", "GB", "US"]
        }
      },
      {
        xss_match_statement = {
          field_to_match = {
            body = {
              oversize_handling = "MATCH"
            }
          }
          priority = 0
          type     = "NONE"
        }
      },
      {
        regex_match_statement = {
          regex_string = "\\/path\\/(.*)\\/settings"
          field_to_match = {
            uri_path = "{}"
          }
          priority = 0
          type     = "NONE"
        }
      }
    ]
  }

  visibility_config = {
    cloudwatch_metrics_enabled = false
    metric_name                = "allow-svg-upload-modalities"
    sampled_requests_enabled   = true
  }
}

]

What is the expected behavior?
Be able to create xss_match_statement rules for and_statements.

Software versions?
4.6.1 but it seem that the current version (5.1.2) has the same problem.