Short answer: No.
Long answer: Changing your configuration and/or working in commercial space might work out.
Technical specifications regarding eSIM and Remote SIM Provisioning are provided by GSMA. They are freely available on the GSMA website.
Information regarding profiles can be found in SGP.22:
Profile - A combination of data and applications to be provisioned on
an eUICC for the purpose of providing services.
Profile Component - A Profile Component is an element of the Profile, when installed in the eUICC, and MAY be one of the following:
- An element of the file system like an MF, EF or DF;
- An Application, including NAA and Security Domain;
- Profile Metadata, including Profile Policy Rules;
- An MNO-SD.
You can get examples for test profiles from the Android Open Source Project:
Android provides downloadable test profiles for testing the radio
implementation of devices supporting eSIM. For testers that need to
download a test profile defined in TS.48, Android provides a mechanism
in its SM-DP+ to facilitate the download of up-to-date test profiles.
When a tester scans a QR code for a test profile, the SM-DP+ downloads
the test profile to the target device. Because there are no download
or profile policy rules implemented, there are no limits to the number
of downloads or the devices that can download the profiles. The device
downloading the test profiles must have a test certificate issued by a
GSMA CI.
A very nice and detailed RSP overview is also given by Kigen. It shows which components are involved and how they relate to each other. In your case: Dp+ server <--> Cellular Network <--> Device (Google Pixel 3a) with Local Profile Assistant <--> eUICC (eSIM chip) already in device.
End-to-end security is built into RSP. All exchanges between the
SM-DP, SM-SR, and eUICC rely on digital certificates (PKIs) or
pre-shared keys (PSKs), which can be revoked at any time if security
concerns arise. An eUICC receiving SMS messages uses AES encryption,
and HTTPS card to server data sessions use Transport Layer Security
(TLS) to protect over-the-air communication.
Usually, only the eUICC manufacturer/provider has the keys necessary to modify the concerned eUICC's content.
Therefore, you will not be able to install your TLS certificate or your key(s) into it.
This means that your DP+ needs to have a certificate which is issued by the GSMA Certificate Issuer in order to install a profile on your Google Pixel 3a. (This is the way the Android Open Source Project went. You ruled it out as overkill.)
Additionally, as far as I know, there are no open or free SM-DP+ server implementations available.
You might take a look at companies which offer DP+ as a cloud service and connect your mock cellular network to it.
For completeness, as far as I know, there are no open or free eSIM-capable eUICCs available. Therefore, it is not possible to circumvent the issue from that side.
A test environment matching your set-up is also described by Cellnetrix (acquired by Truphone) on Slideshare.
