"..Is it a big deal? I don’t know. Windows Server 2019 lists with Datacenter at $6155 and Standard at $972. That means it will cost me $5,183 for Always Encrypted on my SQL Server. Not a bad price for the encryption and additional security. An HSM appliance goes for quite a bit. One in Azure is $5k + $4.85/hour and most of the enterprise appliances I've priced at $10k+. And you need two.."
So, do server(s) hosting the Host Guardian Service actually perform the data decryption (which would explain the specifications), or are they just performing some additional authentication similar to a Certificate Authority server? If all they're doing is authentication then it seems a vanilla Windows or Linux VM in Azure could assume easily this role.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho