Just to clarify, I saw this as two separate inquiries. The initial inquiry: Can I use an AMT equipped machine for a pfSense deployment. Answer: Yes, just don't use the on-board Ethernet ports. AMT is hard coded to use only a single, designated on-board Ethernet port. It is unable to communicate via an add-on PCIe network card.
Inquiry/assertion number two: If a machine is vulnerable to the AMT bug, there is absolutely nothing that you can do to mitigate the problem. Answer: I interpreted this as a more generic statement about all AMT equipped machines, in general and not specifically related to the OP's original question about a firewall deployment. To this I answered, that you can use a firewall, pfSense being my preferred solution, to effectively quarantine any other machines with AMT capabilities on your network, by blocking off the ports that they use for comms, such as 169932, 16993, and etc. This is necessary, because the Windoz built-in firewall will not block AMT comms. This pfSense machine can be non AMT equipped, as mine is, or AMT equipped with a non-AMT compliant CPU, or AMT equipped with add-in PCIe NICs, etc.
Additionally, you mention that AMT can be disabled in BIOS. I'm not sure that this is strictly true, although there always seem to be edge cases, eh? The reports that I've seen have all stated that there is no way to turn AMT completely off in BIOS, or otherwise. While this is a scary prospect, IIRC, even if all the AMT hardware and software components are present and correct, AMT still must be configured by your friendly enterprise IT department before it will respond to pings, so the likelihood that consumer grade hardware is vulnerable is unlikely. More troubling would be server grade hardware and business class laptops, whose default AMT configuration states are likely all over the map.
Another troubling aspect of this AMT dilemma, at least for someone like me, who is using a business class laptop, is the built-in Intel Theft Recovery feature. In the event of theft, an IT department can remotely log into my laptop, delete the hard disk contents and lock the machine. I would assume that this functionality piggybacks on the AMT capabilities of this machine, but I have seen nothing to clarify/verify this concern, nor do I fully understand what the default configuration of this "feature" exposes me to. Needless to say, my Lenovo will not be leaving home, until I have a more complete understanding of these various attack vectors.
Full disclosure: I am not an Intel employee with intimate knowledge of how AMT works. I merely relate my best understanding of the situation after doing considerable reading on the topic. I have a couple of Supermicro based servers running at home and I also have a Lenovo business class laptop, so I am keen to understand this vulnerability. YMMV! Trust, but verify!