I created a Python Script Policy:
import re
qs = flow.getVariable('request.querystring')
p = re.compile(r".*apikey=(\w+).*", re.IGNORECASE)
m = p.match(qs)
if m is not None:
flow.setVariable('qp.api_key', m.group(1))
in this case, it gets assigned to qp.api_key and use that ref for the VerifyApiKey policy.
i think this should be a standard option to extract flow variables (i.e., case-insensitive param names) instead of going through extra policies to do the same relatively basic thing.
thanks for the quick response and ideas, guys.