I wonder if there's an easier path with a name-constrained intermediate; I don't know how that affects the auditing requirements. I thought that there was once an option involving name constraints that was much less rigorous in some regard, but I don't know if that still exists.
Anyway, maybe you could ask a commercial CA and/or PKI consultant about this option. Ideally it would lead to less stringent audit requirements than an unconstrained public CA. (Individual X.509 extensions can be marked as Critical which means that a client that doesn't understand the semantics of the extension should reject the certificate, whereas for a Not Critical extension a client that doesn't understand the extension may still accept the certificate. So the name constraint is normally always set as a Critical extension so that software that doesn't understand the restriction simply can't use those certificates at all... but I think all recent browsers do understand it.)
... actually, we have a forum thread from 2016 about this topic
which says that at least at that time, Comodo offered this service commercially.