It depends on your design.
- Is your VCE going to tunnel packets to internet or they will go direct.
- If FW needs to inspect original frames then you need FW before packet is encapsulated into VCE tunnel
- One of my customer uses Velocloud only for MPLS overlays, and any internet bound traffic is sent direct to FW and then to ISP.
Solution can work both ways (VeloCloud > FW or FW > VeloCloud), just your requirements will decide what to do.