What's the best way to start the ASM in a manner to achieve security and avoid false positives

There is no way to guarantee the avoidance of false positives. A lot depends on your application and its use.

The "heavily testing by trusted users" should really be every single link/button on the application clicked, every form submitted with all possible allowed permutations of input.

The best policies are always built manually by people who have good understanding of your application and its behavior. Obviously it is not always achievable so your approach would work followed by a policy tuning process (a process of false positives analysis and their removal).

Another good starting point is to use a penetration test report output. If your application was penetration tested by a vulnerability scanner tool supported by ASM you can import the results to make sure that the vulnerabilities identified are mitigated first.

Here is the URL to ASM Manual: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-getting-started-11-5-0/4.htmlconceptid