UPDATE 2:
after digging through various libvirt/kvm configs, I figured out the problem. For some reason libvirt defaulted to generate a domain cpu config of:
<cpu mode='custom' match='exact' check='full'>
<model fallback='forbid'>EPYC</model>
<vendor>AMD</vendor>
<feature policy='require' name='acpi'/>
<feature policy='require' name='ss'/>
<feature policy='require' name='hypervisor'/>
<feature policy='require' name='erms'/>
<feature policy='require' name='mpx'/>
<feature policy='require' name='pcommit'/>
<feature policy='require' name='clwb'/>
<feature policy='require' name='pku'/>
<feature policy='require' name='la57'/>
<feature policy='require' name='3dnowext'/>
<feature policy='require' name='3dnow'/>
<feature policy='require' name='npt'/>
<feature policy='disable' name='vme'/>
...
When the host cpu was an Intel Xeon with VT-x enabled. After changing the config with virsh edit <domain> and then SHUTTING DOWN the domain, i.e. NOT a restart, it installed properly. Thanks to virsh edit vs virsh dumpxml - Red Hat Customer Portal for this little nuance. So now a dumpxml of the domain shows:
<cpu mode='host-passthrough' check='none'/>