SBC, B2BUA, Proxy? Help!

Our company has been providing Asterisk/FPBX based systems to our existing client base for a few years. Recently, more and more of them are asking us to host them on their behalf for added Business Continuity/DR. We’ve been doing it fine so far with VLANS and virtual machines. SIP/RTP is only allowed through the firewall for the client’s static IP ranges and the SIP Trunk provider IP.
We now want to go one step further because it is wasteful using a separate IP for each client, and also limits the ability for roaming users to connect, securely at least.

We are looking to put “something” on the edge of the network, but I’m not sure what I need. I am hoping you can offer some advice.
I’ve looked at OpenSIPS, Kamailio and various hardware solutions but can’t work out which is most suitable.

Essentially, this is what I want:
Single public IP facing SIP endpoint which authenticates ALL devices (so all phones from all clients) - we’re only looking at around 100 in total.

Routing rules so that each authenticated client can be passed through to the appropriate PBX on the LAN side.

Ability to connect SIP Trunk from wholesale provider on the WAN side, but provide multiple SIP trunks on the LAN side to each client PBX. All external calls routed through the wholesale trunk, for all clients.

Security - whatever is required to allow publishing of SIP safely.

I’m happy to pay for a product or service if required.
Any advice gratefully received.

You need a proxy as you surmised, Kamailio works very well in that role and is cheaper than a hardware solution. You need at least two proxies to be redundant but most proxies will cluster nicely. You might need to brush up your BGP to do that properly.