Regarding your suggestion to use IPSEC for failover, and who's responsibility is it to provide internet access.
The MPLS provider would/should be able to provide internet access for you if you'd like, you can also reject their internet service or ask them to use a separate VC/VLAN/DLCI on the CE<>PE connection that will be direct to internet. You can most definitely use IPsec across their MPLS network, and it may even still be suggested if you don't want unencrypted raw traffic on their "trusted" network. (remember, from their core perspective, there is nothing confidential about MPLS, just a few protocol shim headers "popped" and your IP datagram and company secrets are exposed.)
It will not be difficult to firewall your internet access (if provided by the MPLS provider) with the PFsense in this scenario. The best option is to put your own PFsense on the LAN side of each CE (customer edge) router they give you and treat them as an un-trusted network if you go this route.
If you want a separate DSL or other ISP services at each site for failover VPN and internet purposes, you can still do that with the PFsense using an OPTx interface and another set of IPSEC tunnels to be back-up.
your IPSEC tunnels can be run PF<>PF from site to site over the MPLS and if that goes down, the DSL would/should automatically take over. Just run the cost/benefit analysis; an MPLS architecture, if they're doing it right, is redundant by itself. As long as they have redundancy in the core it should re-route itself easily. Your only protecting yourself from a "last mile" outage and hoping that your MPLS proider isn't on the same transport run/LEC as your DSL/ISP provider.
Hope this helps!
–James