it create a never-ending loop as WordPress tries to find the 403.php page
Not WordPress, but Apache. WordPress never even sees the request.
You need to make an exception for your custom 403 error document, otherwise, the directives you have posted would issue another 403 for the error document itself… an endless loop.
If your ErrorDocument is defined like so:
ErrorDocument 403 /403.php
Then you can either create an exception before your existing rules like this:
RewriteRule ^403\.php$ - [L]
Which effectively instructs mod_rewrite/Apache to do nothing when the /403.php document is requested.
Or, incorporate this into your existing rule block. For example:
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^111\.111\.22\.33$
RewriteRule !^403\.php$ - [R=403,L]
The ! prefix on the RewriteRule pattern negates the regex. So, this rule block will only be processed if the /403.php document is not requested. Note that [R=403,L] is the same as [F].
Or, you can simply disable your custom error document instead and use Apache’s default error response:
ErrorDocument 403 default