Yes, correct. However depending on the proxy/tool doing the rate limiting it may be easier to limit based on a key in a separate cookie or header than extracting from a signed cookie. Even if the other cookie or header is logically covered by that signature keeping it more separate may make it easier overall.