API security

 Hi THE_BLUE,

instead of iRules & datagroup you could use address lists. But this is just personal flavor (read more here).
Client cert auth is good. Cert management might be cumbersome. 
Maybe look at Rate Limiting, check out API Protection with APM. Old but gold video https://www.youtube.com/watch?v=UVcUAjtyYaY 
And final hint - apply a WAF policy. Use ASM Signatures to protect your technologie stack from known vulnerabilities. Apply signatures for Server Technologies, like NGINX, JavaScript, etc.

KR,
Daniel

I do everything you do, but i also ask the client using the api to put in or amend a http header with a pre-shared key.
user-agent or something like that. 
If you have apm, you could potentially get apm to do the api auth for you but you'd then need to get apm to auth lower for you as well but might protect your api servers a little more.

Hi THE_BLUE, just to add a comment, if LTM is what you have to work with these techniques mentioned by PSFletchTheTek and Daniel_Wolf are solid.

As you review your architecture and plan for the future, you'd be far better served for critical services like this with a focused API gateway, with something like NGINX or F5 Distributed Cloud API Security, the latter which is pretty close to any easy button. It's worth a look to see where the specific features can benefit you.