I believe it is pretty common to rate-limit based on the /32 for IPv4 and the /64 for IPv6, this isn’t something the NCC has invented.
the rationale for /64 is that ipv6 privacy addresses will cause the
source IP address to change for each successive query, i.e. on a
standard SLAAC network, the limit of 1000 person objects
per-IP-address-per-day won't apply by default. Applying the rate limit
on the entire /64 for ipv6 closes off this rather embarrassing loophole.
Does the EB even need to approve text to clarify this? It's a standard
and completely reasonable approach to rate-limiting.