When you're talking about rate limiting, where do you actually put that in?

I've been thinking a lot about rate limiting lately, you know, especially for those public-facing APIs. Should we handle it at the edge, maybe with a CDN or an API gateway, or should it be done within the application services themselves? Each way seems to have its pros and cons. Handling it at the edge might make global limits easier to manage, but then again, doing it at the application level could give us more specific control over individual users or features. What have you found works best?