If they flood the web site, they will get that 429 message so that they will not be able to continue to flood your site. Just like it did for him. The server isn’t giving him that message because you “authorized” him. It is keeping him from accessing the site because he is being malicious. If they flood the web site all day long it will not affect your server because they will get only the 429 page.
You are already protected.
Often people get that 429 error when they should not, and they are unable to access their site. That is a problem. You have no problem. You are unable to access your site if you try to take it down. That is what you want.