My definition in the frontend looks like this:
acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent
http-request deny if blockedagent
That blocks agents in the given file successfully, where the blacklist file contains one line for each blocked agent in clear text, without escaping special characters.
In your case, is the Apache host the same as the HaProxy host? If they are different, is it possible that the bots are sending their requests to the Apache directly, bypassing HaProxy?