Had a similar experience a couple of years ago. CHR actually only partially uses percent for encryption, and hashes are calculated by software. We managed to squeeze out 30 megabits / s, no more. But as I found out then, the hosting did not allow to fully have AES passthrough to the virtual machine with CHR.
So, you need to check with your hosting, where you will host CHR, whether there is a full-fledged transfer of hardware encryption of a physical processor to a virtual machine. If there is, it will most likely take off, but it is possible with dancing with a tambourine around options for setting encryption protocols.
But on the side of the iron Mikrotik, provided that the model is with hardware encryption, there will be no problems with the bandwidth (everything will meet the specifications for your piece of iron).
Choose a virtual machine according to the principle "more than 2.2 gigahertz", forget about the number of cores, since only one core will be involved.
In general, it’s better to buy a second hardware microtic and stick it to a DC thread where you already have something.
Another option is to score on encryption. :)

There will be no hardware. Hardware is when the device has a chip that encrypts on the fly, bypassing the processor. You want to deploy x86 - of course, the CPU will do all this there.
PS
And it will work, for this CHR was invented.

Quite a working scheme, not all VPS have the ability to correctly start CHR. At least it works on DO, on OVH I started once, after reboot it refused to start, maybe they fixed it.
Regarding hardware encryption, the most important thing is that it would start from the side of the iron router, because. otherwise, everything will be very sad, but what is there from the side of chr is not important.
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Har... - here is a table with possible options.

CHR supports AES-NI. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Har...