Yes you can do zbf with dmvpn on hub and spoke and I highly recommend that.
In terms of best practice is to have the tunnel interface on a dmvpn zone and not in the same zone as the inside interface.
Then in terms of rules, it's based on your business traffic but i will allow icmp to be able to do some tests (you can filter source and destination for icmp).
In terms of IPSEC, it depends on the security level you want versus the management effort.
I mean that if you don't want to manage public IPs that are allowed to build an ipsec tunnel, then go with any to any. Personally i always convince customers to create an object group which has all public IPs that are allowed to build ipsec tunnel.
PS: Please don't forget to rate and select as validated answer if this answered your question