I don’t think you could run switch-to-configuration as an extraCommand since IIRC, it requires access to / for instance. And if you want to run NixOS services, you will also need to run systemd in the container.
So,apparently (pkgs.nixos<nixpkgs/nixos/virtualisation/docker-image.nix>).tarball is,in fact,a docker image,but apparently it needs to run as --privileged.
Neither in the NixOS manual nor in the NixOS wiki this is even suggested,and I stumbled on this file on accident while loooking for the docker-image.nix profile.