Legacy authentication endpoint — reflected parameter in script context (WAF blocks payloads)

Found a legacy authentication endpoint on a major tech company where a path parameter value is reflected inside a script tag JSON object without proper encoding. However, the WAF catches most XSS payloads and the server also does some escaping on angle brackets. I have not achieved full XSS execution yet, but the reflection is clearly there and the encoding is inconsistent. Looking for someone experienced with WAF bypass techniques and script-context XSS to help find a working payload. The endpoint also leaks internal hostnames in its CSP header and accepts arbitrary values for the application identifier parameter.