Referring to your question. This is my opinion below:
1) Swagger file import to F5 ASM / AWAF Generally the Swagger file will help to security team to reduce the time and false postivie to understand your API service has been protected by WAF/API security solution. I will call this is a "Positive Security Model".
Seems to F5 APM will interact with session-based level of API since authentication until request/response the data.
3) I do not need to manage authentication at F5 level, which one should I use ? Normally base on the many criteria within your solution or organization. Below is based on my experience:
The WAF operation team mostly not understand how your API service working, how your API authentication working. I'm try to say you should move API authentication management to API gateway level. But our WAF will help them to secure the API services.