Thanks for the nice writeup! When you say:

To bypass this we can use a simple %64ebug/answer. This allows us to bypass nginx

I'm finding that this does not seem to be the case. If I go to /%64ebug/answer I still get the 403 response from the nginx rule.
It seems to still match the /debug pattern since it must be smart enough to take into account encodings like this.