Apparently you can use a ssh-agent for HostKeys, and by extension ssh-keysign.
So I think this should be trivial to implement actually.
It might be cool to add some attestation feature so you can verify the boot of the machine before releasing the host keys. Might be practical in scenarios where you are SSHing into an initrd or a sensitive remote host.
