The sp_executesql procedure works like a dynamic SP so you can only pass values, and not object names, as parameters.
To guard against SQL injection you can validate column names against INFORMATION_SCHEMA.COLUMNS and table names against INFORMATION_SCHEMA.TABLES.