I'll go one step further than @Scott Fella and say no you can't do what you show in your second design.
You seem to not understand what the options are with local and central switching of the client traffic with a WLC.
If the client traffic is centrally switched then your AP has no connection to vlan 20. The client traffic is tunnelled to the WLC over CAPWAP and exits the WLC on vlan 20. Yes you could then switch that back to the client side via firewall if you wanted to but that would be independent of the AP. There wouldn't be much point in having a firewall at all in this case.
If you use flexconnect with local switching then the traffic is switched directly onto vlan 20 by the AP so why would you want to send it to the WLC, and over a firewall, and then obviously the WLC doesn't need any connection to vlan 20. Although maybe you'd want a firewall between your client vlan 20 and the internet but then vlan 20 will go to your internet router not the WLC.
So you need to decide on the most appropriate design, understanding the difference between AP in local mode or flexconnect mode and the difference between central switching and local switching. Then you can decide if you want to put a firewall in the path. Go read the basics of how WLC and CAPWAP APs work. Then when you've understood that, work out which design works best for your circumstances and then decide whether a firewall is appropriate and where it should be situated. Don't put a firewall in just for the sake of it when it doesn't add any value and could reduce the reliability of your solution (like Scott said headaches down the road).
