As you described, we can approach the solution with multiple ways.
If we let all the VLAN's exposed directly to Firewall, then there is no need of VRF's, so you can configure ACL's and route policies on the firewall. With this aproach, traffic between each VLAN/east-west has to transit via firewall which is not optimal.
If we configure one VRF for 20+ VLANs, and one transit vlan towards Firewall for each VRF, will help to segment nicely and have interVlan traffic routed within the Core/Agg (which is more optimal way). If you plan to configure ACLs between the VLANs with in VRF you can do it as well but I would pref to leave the security function to a stateful Firewall than a Switch, so its best to group VLANs in to a VRF with the vLANs that is not required any ACLs, then configure a transit vlan for each VRFs and configure Stateful ACLs in Firewall.
Reg route-policies,may need more details on the requirement to advise it right. if you have multiple gateways connected to Switch and redirect depends on the specific destination, we've to do this on Core/Agg switch.
Hope this helps