>Or does the esim spec have some kind of DRM to require you to use physical hardware with an embedded yet secret-to-you key?

Yes. Basically there's an accreditation process by the GSMA, and if your esim doesn't have a certificate chain leading back to GSMA, you won't be able to get your esim provisioned.

https://media.ccc.de/v/camp2023-57190-demystifying_esim_tech...

There is SoftSIM, but I think it’s geared towards IOT applications: https://onomondo.com/product/softsim/