https://github.com/WebAssembly/wabt/blob/main/wasm2c/README.... is a straightforward way to take an untrusted application (compiled already to wasm) and turn it into C that you can embed into your application or compile to a linkable DLL. I believe this approach has been used to sandbox untrusted libraries in production by Mozilla:
https://hacks.mozilla.org/2021/12/webassembly-and-back-again... 