You've got quite a range of budget there. F5 and Barracuda in the same sentence! It's been awhile since I was in this space so take this fwiw.

I've used F5 products in the past as well as Barracuda. F5 makes a tremendous product with a lot of flexibility. The barracuda products are good for the price point and kind of just work out of the box. I've never used the Cuda WAF but if its anything like their other products, its going to be OK.

I agree with your assessment of the WAF as a VM on the same host as your web boxes. Physically separate would be ideal, even from simply a performance standpoint. However, I'm sure with enough resources you could stuff it all on one host. From a security perspective you're really talking about jumping out of a guest and into another guest, which in my opinion, is probably low risk if you're doing everything correctly. I suppose there could be a potential for VLAN hopping too. I would make sure F5 even offers the VM solution instead of the appliance.

Keep in mind that configuring services in a secure way, and using an up to date stable application without any vulnerable add-ons, will eliminate most attacks. Of course the operating system should be hardened and the environment chrooted, in case it isn't already. 

That being said, I don't know the mentioned WAFs, but I do know that you can configure mod_security specifically for a web application, so if integer input is expected, only integer input should be allowed.

I don't really see any problems deploying a WAF / Load Balancer on the same box, even though they should be physically separate. What's more important is that they're securely configured in the virtual environment, so that e.g. direct access to the actual web server is not allowed / possible when the WAF / Load Balancer is not available.