We do this and it works very well.
We setup a VCD Blocking Task on the start operation of the vApp (and used VCO to do the processing of this task).
On start of the vapp VCD sends a blocking task into the AMQP bus, and will not start until this is completed. Then we have VCO pickup this blocking task and process it. (Adding firewall rules, and making the task complete). At this point the vapp will "start" but we know the rules have been added before it happens so all is secure.
Hope this gets you going, if you need any more details just ask, this was one of the first things we used BlockingTasks for, as we needed firewall rules to be forced.