First, microsegmentation is a grave mistake. It's a maintenance nightmare and actively encourages people to build applications in ways which are extraordinarily difficult to reason confidently about when troubleshooting. I say this from extensive, painful experience.
If you are absolutely sure you want to wreck the datacenter, it's possible to do as long as your switches and your hypervisor platform support private VLANs. It could also be done with MPLS route distinguishers (I originally misspoke and said "descriptors") and route targets, but that's much more exotic, so you're less likely to find people who can support MPLS in this way. Give all of your VMs and physical endpoints (not the firewalls) a 32-bit (or 128-bit for IPv6) netmask and a gateway address. Give your firewalls the normal netmask. When endpoints try to go anywhere, the frame goes to the gateway's MAC. The gateway then filters it and sends it back out the same interface to the destination. The private VLANs or MPLS configuration enforce this traffic pattern, so a misconfigured VM or physical host can't talk to anything on its local network.