let’s think:
traffic from App-vm is encrypted and directed to the VPN server.
When it gets to sys-pihole (and sys-firewall) it is already encrypted
and packaged for the VPN. So those servers can do nothing with it.
This may be what you want.
If you do want to use sys-pihole you need to place it before
sys-vpn, so that the ad and tracker limits take place before traffic is
sent down the VPN.
App-vm > sys-pihole > sys-vpn > sys-firewall > sys-net
The problem with this is that the firewall only see traffic on its way
to the VPN.
If you want to use the Qubes firewall you need to place it before the
VPN. You cant put it after pihole because then it will see only traffic
from that IP, so cant enforce traffic on the App-vm.
App-vm > sys-firewall > sys-pihole > sys-vpn > sys-net