Per RFC 9112 Section 3.2 request-target should match:

request-target = origin-form
                 / absolute-form
                 / authority-form
                 / asterisk-form

origin-form is defined like this:

origin-form    = absolute-path [ "?" query ] # https://www.rfc-editor.org/rfc/rfc9112.html#name-origin-form
absolute-path  = 1*( "/" segment ) # https://www.rfc-editor.org/rfc/rfc9110.html#name-uri-references

and the RFC explicitly mentions When making a request directly to an origin server, other than a CONNECT or server-wide OPTIONS request (as detailed below), a client MUST send only the absolute path and query components of the target URI as the request-target.

The other kind of request targets are defined like this:

absolute-form   = absolute-URI # https://www.rfc-editor.org/rfc/rfc9112.html#name-absolute-form
absolute-URI    = scheme ":" hier-part [ "?" query ] # https://www.rfc-editor.org/rfc/rfc3986.html#section-4.3
authority-form  = uri-host ":" port # https://www.rfc-editor.org/rfc/rfc9112.html#name-authority-form
asterisk-form   = "*" # https://www.rfc-editor.org/rfc/rfc9112.html#name-asterisk-form

authority-form is only used for CONNECT requests, absolute-form can be used for CONNECT and site-wide OPTIONS while the asterisk-form is only used for OPTIONS requests.

Majority of the requests (GET/HEAD/POST) should use the origin-form, hence request-target should always be of the form ^/. The CDN currently fails to ensure this and this has triggered T317660 (public report available in https://github.com/apache/trafficserver/issues/9094)

Similar to the fix proposed in https://github.com/apache/trafficserver/issues/9094 and backported to ATS 9.1.3-1wm2 in https://gerrit.wikimedia.org/r/c/operations/debs/trafficserver/+/834045 Varnish should enforce RFC 9112 Section 3.2 and return a 400 for requests that don't provide a valid request-target