Hello @SAP Azure , Thank you for reaching out.
Yes it is possible to protect traffic with NVA firewall as you can redirect all traffic through it using static routes/ User Defined routes. You can refer to this architecture for implementing highly available NVAs in Azure.
Azure Azure App Gateway - WAF provides these benefits, at application layer and is highly recommended for web workloads. Regarding implementing a Firewall along with a WAF you can refer to this document which describes the benefits of implementing both and in what order. Additionally you can also follow this best practices doc for NVA deployment.
As both Azure Traffic manager and Azure CDN come under Application delivery services of Azure Networking. You can go through this document to understand the benefits of using them together.
Please let me if have any additional questions or concerns, I will be glad to continue with our discussion. Thank you!