Hi Brian, curious what you want to achieve with Security Group Tagging. For example, is it network segmentation, quick on-boarding or migration of servers, or the wider end-to-end piece for role-based access to data centre services?
Yes, the Sup720 cannot perform inline propagation of tags. Whilst SXP is more complex, it shouldn't in itself prevent the use of TrustSec. The other switches you mention support SXP (both Speaker & Listener), so I can't see an issue in terms of tag propagation. The 3560-X needs 'IP Base', but I guess they already have that. Do you have inline DC firewalls? If so, then you'll need to use SXP to propagate tags across them anyway. If they are ASAs, then they do not support inline tagging. If they are non-Cisco firewalls, then you'll need to pass tags across them using multi-hop SXP.
Be careful with the 3560-X/3750-X Series since they are very limited when it comes to enforcement capabilities. They can only by used to enforce local switchport p2p communication and only within the same layer-2 domain, so can prevent the spread of Malware between clients within the same VLAN on the same switch, but that's about the only practical use I can think of. Therefore, you'll need to perform the majority of your enforcement elsewhere, such as one of your 6500s. Also, the 3560-X/3750-X only support TrustSec enforcement on up to 8 VLANs on an uplink. Any more and the switchports for the additional VLANs will go into err-disable.
Hope that helps.