Rate limiting at the edge vs application layer: defense in depth

we're working on improving our public api rate limiting strategy. currently, we have some basic rate limiting at the edge using our api gateway, but there's a debate about whether to also implement more granular, application-layer rate limiting. for a system handling 10k requests per second, we're evaluating token bucket versus sliding window algorithms. a key challenge is ensuring consistent rate limiting across multiple instances of our api gateway. do people typically rely solely on edge rate limiting, or is a defense-in-depth approach with both edge and application-level limiting more robust? what are the complexities of distributing rate limit counters and ensuring fairness across many nodes?