Can multiple VMs share a host netdev by filtering incoming traffic based on each VM's MAC address and directing it to the appropriate XSK? If yes, then I think AF_XDP is interesting when SR-IOV or similar hardware features are not available.
The idea of an AF_XDP passthrough device seems interesting because it would minimize the overhead and avoid some of the existing software limitations (mostly in QEMU's networking subsystem) that you described. I don't know whether the AF_XDP API is suitable or can be extended to build a hardware emulation interface, but it seems plausible. When Stefano Garzarella played with io_uring passthrough into the guest, one of the issues was guest memory translation (since the guest doesn't use host userspace virtual addresses). I guess AF_XDP would need an API for adding/removing memory translations or operate in a mode where addresses are relative offsets from the start of the umem regions (but this may be impractical if it limits where the guest can allocate packet payload buffers). Whether you pursue the passthrough approach or not, making -netdev af-xdp work in an environment where QEMU runs unprivileged seems like the most important practical issue to solve. Stefan