Yes the Wordfence rules do apply to WooCommerce customers. We have tested the following scenarios:
Customer created an account during checkout.
Customer logs in successfully with correct password.
Scenario 1: Hacker tries to login using woo created account using normal WordPress login mechanism and fails more than the threshold that Wordfence has set. Hacker is locked out.
Scenario 2: Hacker tries to login during checkout in WooCommerce and fails more than the number of times that Wordfence allows. Hacker is also locked out.
So it's fully supported.
Regards,
Mark.