Can. A VM with 2 cores, 60-80 gigs of disk, 4 gigs of memory is suitable for your load (this is even with a margin).

You can, even though MS was not recommended at the time.
There should be at least 2 controllers and they should naturally be stored on different physical machines.
It is better to keep roaming profiles separately, for example on a NAS. Naturally, branches should have their own NAS's.

As for the MS recommendations on hardware controllers, I categorically disagree with MS, because if a hardware domain controller fails, transferring it to another hardware can become a headache.
I have already encountered this in practice and now I prefer to use virtualized servers whenever possible, since in case of force majeure they can be simply transferred to any other machine as quickly as possible.

And if user profiles are stored on the server?
It turns out that for each branch you need to configure your own domain controller or do you need one?

According to Microsoft recommendations, DCs can be virtual machines, and each location needs at least one hardware DC

Well, if briefly and to the point .. a domain controller without additional functions does not need any special powers. You can install it on a virtual machine, allocate a couple of cores and a couple of GB of RAM to it, this will be enough. In one of the organizations where I worked. all ds were on virtual machines but on different hosts, there were no problems.

You can and should virtualize. Moreover, the controller on a normal VMWare or Hyper-V farm is much more reliable than a regular hardware one, this MS requirement, IMHO, is outdated. For a branch of 20-30 computers, according to experience, a single-socket server with a processor of 4 cores is enough, the main thing is to put a domain on a separate virtual machine (this is if there is no task to deploy crowds of servers in each branch, but only a file and a domain are needed). If new users are brought only from the head office, then RoDC will really be in place.