It is possible to source a packet with an arbitrary IP address, even an invalid IP address. This is commonly done with DDOS attacks.
For scanning to be effective, the scanner needs to get the response traffic back. If the scan came from 192.168.2.255, and if the network was 192.168.2.0/24, then the response would be broadcast on that subnet and every host on that subnet (including possibly the scanner) would see the response.
To identify the scanner, look at the Ethernet header of an inbound scan on the originating subnet, and look for the source MAC address.
Long ago, “IP directed broadcast” was enabled by default on Cisco routers. My company used to synchronize time by broadcasting NTP updates to the class B directed broadcast address for our site (similar to 172.16.255.255). The NTP update would flood my class-B.
For the past two decades, “no IP directed broadcast” has been default on Cisco (and presumably other vendor) routers, for obvious security reasons.
192.168.2.255 is a perfectly valid IP address if the originating subnet is 192.168.2.0/23. The intermediate routers and your host have no idea if 192.168.2.255 is valid unless they are directly on that subnet.
It is good that the windows filtering platform is blocking and logging some of this. “Do not accept packets where the source IP is the broadcast IP of a directly attached subnet” sounds like a good rule. “Do not accept packets with a multicast source address” would be another good one.