Is plugging a switch between the Huawei and two routers, and some configuration, really all that's necessary? Does it work like that at all?
Technically, yes. This is pretty common in enterprise. In fact, on my second internet connection here at home (used for work) I have 13 static public IPs, and I use them for testing configurations. The connection comes into my core switch, allowing me to put any number of firewalls "on the WAN" without opening any of my internal network to that traffic.
Wouldn't a malicious party be able to cross through the static IP connection into my LAN via the switch?
No, because connected to the switch are two separate NAT routers/firewalls.
Do I have to look for anything specific for the switch, DHCP support or anything like that?
No, all I would look for is a layer 2 switch. Any of those little Netgear/TP-Link/etc five port jobs will do it for you.
Are there any other pitfalls that I don't yet know about or might have missed?
Yes: security. There is no way in hell I would expose anything intentionally to the internet with just a consumer router in the way. In your case, this is doubly important because you are coming at this from a lack of knowledge. There's nothing wrong with lacking knowledge -- we're not born knowing anything. It's just far too easy to inadvertently open yourself up to attack.
To keep the private parts of the server private, do I install another network card in it, then run a cable from the router that is going to be configured for dynamic IP, and configure the VMs to be accessible only via that network interface? Is it possible and is it safe?
Without knowing the rest of your network topology, I want to say this is a soft "yes". Again, I do this: my VM host's network configuration includes the VLAN that leads to my business ISP. I can put a VM (e.g., a firewall VM) on the ISP VLAN and then put other VMs "behind" it on another VLAN. This forces the traffic to pass through the firewall and keeps the rest of the network secure.
Make sure you understand what's happening before exposing anything internal to the network, and that includes your host's network configuration.
Would it be better/safer to run a separate dedicated machine for public hosting, entirely apart from my home server?
In your case, this is what I would do. You don't need much. If you check out Level1Techs or ServeTheHome, they've been doing tons of reviews on little mini PCs that would be perfect for this job. You could install Proxmox on them and use a virtual firewall distro like pfSense along with a few VMs to serve up. Just be careful about how you connect that host to the rest of your network for management.
Alternatively, consider one of the low-cost cloud hosted solutions. I used DigitalOcean often for small projects I needed exposed to the internet. For $5-10 per month, you get a VM you can work with and expose absolutely none of your home network until you're confident you can secure it.
This is a deep question. I would start by Googling "cybersecurity best practices for business" and read/watch some videos. I can reply later with some more detail on your other questions.