Only have time for a quick answer, but hopefully it will give teh push you need.

Let's assume you are inserting a Firewall between the App_EPG and the DB_EPG

Clients on the App_EPG must have traffic go through the FW when accessing the BD_EPG

Without PBR, endpoints use the FW as their default gateway, ACI acts as a L2 redirection service.

This raises many problems - like how does traffic go say to a L3 Out from the Firewall if App EPs send traffic to the FW?

With L3 PBR, the EPs use ACI as the default gateway, and (typically two) new bridge domains & subnets are inserted between ACI and teh FW - one for each leg.

The Policy of PBR then routes every packet leaving the subnet, and it is a simple task (i.e. define a contract) to say "if traffic is gonig from the App_EPG to the DB_EPG, make the next-hop of the packet the FW"

Simple!

And when done this way, ACI can determine that a different policy is to be applied if the App EPs send packets to say a L3 Out.  Or you can even have say traffic from App to DB on port xxx can go directly to the DB_EPG

Finally, since v4.0 - you can even do PBR on two devices on the same subnet.

Sorry for the rushed answer.

LOTS More info @ https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html

I hope this helps

Don't forget to mark answers as correct if it solves your problem. This helps others find the correct answer if they search for the same problem