F5 ASM 13.1.0 is placed behind a CDN.
TSPD challanges injected in the web page is cached in the CDN, diable the cache option is not possible on the CDN, the assupmtion here is that the tspd token is placed in all the pages.
advanced bot protection is not used because of this.
The troubleshooting is showing number all users get the same token "cached by the CDN" thats, rendering any user fail the check!
Only the static content (images/stylesheets/fonts/js/PDF files) should be placed behind CDN. The best practice is to put all static content onto a separate subdomain such a static.example.com or media.example.com
F5 ASM is a security device to protect the Dynamic contact (login pages, portals, applications,etc).
In case if the static contact is the part of the same application (e.g. /static subfolder) you can use the local traffic policy to disable ASM on that static content path. You can also disable the caching of dynamic pages by injecting 'Cache-Control: no-cache' HTTP header if the application you are trying to protect with F5 ASM is not doing it for some reason