If all devices must connect to ACI you'd probably want to use a dedicated "transit" VRF with a transit BD that the WAN interface and firewall outside interface sits it.
However, I personally will do anything I can to not use ACI as a transit network. It's a good practice in modular network design to keep your DC fabric a separate island. I always recommend a "dc core" or "campus core" to all my customers to aggregate services.
So what I'd try to do is use the firewall inside interface as your ACI L3Out, then connect the WAN routers directly to the firewall.
I hate using ACI as a transit network so much, I'd even consider hanging the internet firewall off the WAN router, using the WAN router as a sort of dc/campus core.