Yes, ACS fits in nicely between MFG and the RP, as you suggest.
I find it useful to think of ACS in one of two ways in relation to MFG, depending on which perspetive I am coming at it from:
Either, MFG (and IdP's in general) provides the authentication / base identity claims layer, and there is another architecture layer above that which handles authorization (eg ACS).
Or, ACS is a resource STS that is downstream from MFG. To MFG whatever relying parties and/or STS's (or even chain of RPs/STSs) are downstream is just a black box -- MFG issues tokens and sends them to the next address for that RP, and whether that be ACS
or direct to an application is not something that MFG needs to know.
In general, an app will always have some kind of authorization / permissioning logic somewhere -- and whether that be provided by the app itself or offloaded to ACS is a design choice that is pretty much completely invisible to MFG.
Hope this helps explain the relationshiop between MFG and ACS.
I am really looking forward to meeting you at PDC this year to talk about all the interesting ways that developers can leverage the Live ID Identity Services for your own web sites and applications.
I have some ideas on what developer-oriented features to show you in theis session, but I would be particularly interested to hear if there are any specific topics that you would like to hear about? Let me know by adding a comment to this page.