How would the telco get their Private Trust Anchor into the certificate store ? More social engineering, i suppose. At the app level though, a chain resolution like what you describe is not required.
They will be telling citizens to install a "national security certificate". After they implement this, you won't be able to access the internet without it.
They COULD do that but they almost certainly aren't doing that. That's a tedious task that requires a lot of time and technically competent employees.
Also we are talking about apps implementing certificate pinning. Not reading from the OS store etc., and therefore, I don't see Kazakhstan reverse engineering and patching executables.