As always, it depends. If your actual firewalls do all of the processing for Internet-traffic, you only need the MX-Enterprise licenses which will save you money. But you have to maintain two platforms. If you move the firewalling to the MX, you will likely go with the Advanced Security license because that will give you more security-features. Very positive with Meraki MX, for high-availability you only need an additional MX, but not an extra license.
For the sizing, the sites with 250 users will likely be a candidate for the MX95, while the sites with 800 users could use a MX250. But you should also take into account the needed throughput for internet-traffic and VPN.