Parameters can be used in any place where a literal value is allowed; your SQL query itself looks fine.
However, the Android database API forces you to use string parameters, so all parameter values will be seen as strings by the database. This will make many comparisons fails, or break other operations done on these values.
Parameters are most important for strings, where formatting problems and SQL injection attacks are possible. For plain numbers, you could just insert them directly into the SQL string. Alternatively, convert the string values back into numbers in the database:
MakePointZ(CAST(? AS REAL), CAST(? AS REAL), ...)