Yes, that should work as described.
Be sure you connect the mpls line as a separate routed link on the firewall and not to the same trusted subnet where the end user devices are. If it is in the same subnet you will end up with some asymmetrical traffic that will cause flow failures on the firewall.
The new interface can also be in the trust zone if you want. And be sure to remove interface nat if it gets turned on by default so your cloud firewall does the nat and not the local firewall.