“if a website is issued a certificate from one of those aforementioned Euro-mandated government-backed CAs, that government can ask its friendly CA for a copy of that certificate so that the government can impersonate the website.”
Not quite - the government can ask its friendly CA to issue a new certificate, but a copy of the old certificate will be of little use without the private key stored on the requesting organisation’s web server etc.
It can do this even if the original certificate wasn’t issued by one of the Euro-mandated government-backed CAs, as presumably organisations wanting to reduce the risk of government tampering would use a CA outside this government programme.
Existing countermeasures like Certification Authority Authorization (CAA) would presumably remain effective against this EU-mandated vulnerability, or at least require DNS to also be compromised to perform the MITM attack.
Enterprising browser extension developers can hopefully code for removing these CAs from the trust chain to restore security on the endpoint - perhaps rolled up into existing popular extensions like ad blockers.