The "rewrite to special PHP script" can go in one of two places.
1. After rules that block and indeed after rules that redirect, down there where "normal" rewrites usually go. This is usually NOT a good idea because non-www requests for the old URL will be redirected to www before the rewrite kicks in to the PHP script which then issues its own redirect. Non-www requests for the old URL will create a two-step redirection chain:
non-www OLD URL -> www OLD URL -> www new URL
It's also possible that some other earlier more general rule will match the request and produce the wrong result.
2. After rules that block and before rules that redirect. Ultimately, URL requests that match the RegEx pattern will be redirected (by the PHP script). I prefer this, as it means all requests that will be redirected are listed before the non-www/www canonicalisation rule (it usually also nicely fits the required ordering from most specific to most general too). However, you MUST add the fixup PHP script path as an exclusion to the non-www/www rule, otherwise non-www requests for old URLs will be redirected to a www URL with the PHP script location as the path:
non-www OLD URL -> www PHP script -> www new URL
Again, this multiple step redirection chain is a bad thing, and the extra RewriteCond attached to the non-www/www canonicalisation rule prevents it happening.
I remember a site that had hundreds of thousands of old URLs that needed to be redirected via just such a PHP script. To invoke the PHP script(s), just five RewriteRules were needed. These went at the top of the htaccess file right after rules that block access to malicious requests. All other requests breezed through these five rules without matching and on to the more normal sort of htaccess code below.