Ok so at this point if it were me what I would do is create a customized .htaccess file for this 3rd party app or whatever else it is if it just a stand alone Form of some kind. I would take the root .htaccess file, edit it to work for this app or Form and then copy it into the folder where this app or Form exists. In order to do this an index file also would need to exist/be created in that folder. It can be either a blank php index.php file or a blank HTML index.html file. You would need to manually create the correct RewriteBase and RewriteRules and then what I would do is comment out the entire BPS Query string exploits code except for this code:
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
Then I would uncomment the Query string exploits code in groups of 3’s until the exact security filter that is blocking whatever is being blocked is located. Once you find that rule or rules then leave them commented out in that custom .htaccess file.