Isolating a child process in a remote desktop program

I'm developing a remote desktop/streaming program for linux. When a user logs in, they specify a program to launch, and the remote server launches that program as a new process. The server process acts as a wayland compositor, so the child process runs offscreen (from the perspective of any other user on the server), and gets its input from the compositor. This works well for simple applications, but many desktop applications like Steam (which is an important one for this use case) use (I think) dbus to check if there's an existing instance of steam running, and if there is, they switch to it. So simply fork/exec'ing the process doesn't work if there is already a window open. I've tried using unshare(2) to create a mount namespace for each child, and then mounting something over /run to hide dbus. I haven't been successful in this approach yet. Containerization is the obvious general approach here, both for isolation and providing some minor security benefits. However, I'd prefer that the server process be standalone, rather than requiring e.g. Docker or lxd to be running alongside it. I don't care that much about security - or rather, the solution to this problem does not necessarily have to prevent container escapes or similar attacks. What linux-friendly technologies or kernel features would be good for this problem and reasonably easy to implement in a C/Rust program?