The answer I received from the support engineer is that since the firewall is using the same MAC for each subinterface, the only way to correctly map the topology would be a discovery protocol such as CDP or LLDP.
Since these protocols aren't secure, that's not much help.
I believe that mapping should be possible based on more than ARP tables and insecure discovery protocols. I think an RFE is in order, to allow the creation of complex connectivity policies.
After all, I can't be the only customer using trunks from Firewalls or connecting GRE Tunnels to one another