Yup - you can do after XOR! The reason for after S-Box though is the S-Box is non-linear. This is nice because wrong guesses become "further away". So for example if attacking after XOR: 0x01 XOR 0xAF = 0xAE 0x02 XOR 0xAF = 0xAD 0x03 XOR 0xAF = 0xAC etc So notice that each guess (1, 2, 3) results in a prediction output that is closer. This means you often end up with a few guesses with higher correlation - the right one will still be the highest, but you might need more traces for this to be obvious. With XOR you will also get the inverse being the same high (but negative) correlation value, so you'll get two potential answers even then. But after the S-Box you don't have this same linear relationship, so only the correct guess tends to stand out (there is another problem called 'ghost peaks' where you can in fact get other peaks that are also high, but it seems to be much less frequent, but if you search 'ghost peaks cpa' you'll see some references to this).

@@ColinOFlynn Got it, thanks for the explanation!