Generalized oversubscription like that is very challenging if not impossible to do securely, since you want to keep workloads isolated to single tenant numa nodes.
E.g. using the firecracker jailer: https://github.com/firecracker-microvm/firecracker/blob/main...