So if it's the norm to connect to unknown APs with SSID "eduroam" and submit your username and password, can I make a rogue AP that sniffs everyone's credentials? Or is this prevented under Enterprise, e.g. through a pre-shared certificate for the authentication server (which isn't run by the AP host)?
The AP needs to arrange (typically with a RADIUS server) to tunnel the authentication to a remote EAP at the users institution. The local RADIUS server will discover your username (often an email address) but the other credentials used are up to the institution and only delivered there. It will often be MSCHAPv2 which is designed to authenticate Windows passwords, but it could even do X.509 client certificates.
Since TLS ends up in the picture many institutions use the Web PKI, so a typical modern device already understands how to verify that this is the right server for example@example.com to authenticate against, it's the one with a Certificate for the DNS name example.com. But yes, they can do all this with custom certificates instead and I'm sure lots do that.
Yes, you can in principle make an EduROAM service. You should probably talk to whatever higher education or further education IT body exists in your country.
Notice that only academics and students get to access the network, so unless you're either of those things you'll need to also add an escape hatch for yourself and anybody else you want using it. Offering the service to others does not entitle you to any access, it would be only a courtesy to others.
If the latter, can I make my own real eduroam AP?