If you have a vpn active on your host and your routing is all traffic goes through the tun or tap virtual device you will have this:
User --vpn–Tor network
The way that Virtualbox does the NAT networking is all traffic generated from Whonix activity in Workstation routes via the internal network (eth1) to the Gateway (Tor) and your host will send the received packets to the vpn server. Virtualbox uses a NAT engine (address 10.0.2.2) that collects the Gateway’s traffic and sends it to the host
To be really secure it is important to have a leak free setup on your host. A good firewall is essential.
When vpn is on the host set to route everything through the vpn server, you have a “vpn through Tor” (user-vpn-Tor) direction. It is important that ALL host traffic is routed through vpn. You can check that by making sure (on host) traffic goes through a TAP interface if Windows, and tun0 if on Linux. This interface should be the default gateway, usually 10.8.x.x or 10.7.x.x depending on specific OS.
The user-vpn-Tor would have the vpn provider see that you are connecting to the Tor network. They would see the address of the entry guard or bridge, but that’s it. They do not know what you are doing in Tor network. Since you have to sign into the vpn service from host’s ip, they see the original connecting address.They know that a person at your host IP signed into their service at whatever time and that you are using the Tor network. Depending on your requirements this may be acceptable or not. How you paid for the vpn, if there is a paper trail from a credit card, paypal, etc will also be stored by the provider
Visited websites from when you are using Whonix would only see the address of the exit node that connects to them, not the entry guard, not the vpn server ip, and not the host ip.
To create a user-Tor-vpn, you connect to the vpn service from inside the workstation and there are some modifications made to the network too. See the wiki for a detailed explanation
hopefully this helps to answer your question