It very much depends on what flexibility you have to separate the web app calls from standard user/browser calls, and how strictly the block must be enforced (that is, how important it is that the block be foolproof, unspoofable).
Direct approaches that come to mind include:
- Require authentication, and don't issue credentials to the web app
- Block the web app (or whitelist legitimate users) based on source IP
- Maintain a client activity profile, and block if certain access patterns are present (IDS/IPS style)
The F5 can implement or play a role in each of these approaches, but there are tradeoffs with each (how much effort, how secure, how unspoofable). But rather than describe how to do each, if you describe your requirements and environment better, that'll probably make it clear which is the best approach (and there are probably others that might make sense once your situation is clear).