You could use an install hook to check if you can do an operation allowed by the firewall-control interface (eg, /sbin/iptables --version, but it could be anything you want), then if it fails, create a stamp file in $SNAP_COMMON. Then your oneshot service checks if the stamp file exists and if so, exits with a message to tell the user to run ‘sudo snap connect :firewall-control’.
The user cannot, but there is something called a ‘snap declaration’ that can be issued by the store to auto-connect it on install. There is a process for requesting that: Process for aliases, auto-connections and tracks