You can indeed configure this in both ways.
However, since - from what I understand - the DMZ vmnics are plugged into the physical firewall, i.e. not into the same physical switches as the other vmnics, I'd create a separate vSwitch.
I configured both models in vSphere 5.1, but I had a bad experience with the situation of using the same vSwitch: we configured the failover order for LAN & DMZ port groups (as you attached) and everything was fine and work correctly until the host reboot! when the host brings back online the firewall VM lost connectivity to the DMZ network. This problem happened unexpectedly without any interval time, So I decided to separate their vSwitch and then the problem has been gone forever.Please mark my comment as the Correct Answer if this solution resolved your problem