Yeah you can create a jump server/desktop with 2 NICs:

one with PortGroup on Production vSwitch for users to jump in

the other one with PortGroup isolated or test environment VLAN on an isolated vSwitch with no uplink

The test environment VMs has one NIC connected to test environment VLAN on the isolated vSwitch

I'm not sure on what do you mean by writing back to production.

If you are worried about the the test VMs connectivity to production, the VLAN is on isolated vSwitch and has no uplink so it will not have connectivity to production.

You can also remove the default gateway from the test VMs NIC just to be sure that the test VMs cannot reach other network.

If you are worried about the jump server, jump server will still have access to production network.
If you want the jump server to be blocked from production network too, some options would be:

1. Virtual Desktop: use virtual desktop as jump server and put the virtual desktop on the isolated VLAN, user will access virtual desktop from a connection broker, management vlan. Once logged into the virtual desktop, user can only access test environment. If user need to transfer some file to the jump dekstop, use usb redirection.
2. vSphere Client: use vSphere client/vSphere web client. create a jump server with only 1 NIC on jumpserver and user access from vSphere client/web client. if user need to transfer some data, you can connect a USB using USB passthrough from user PC VMware vSphere 6.5 Documentation Library-USB Configuration from a Client Computer to a Virtual Machi... or from ESXi VMware vSphere 6.5 Documentation Library-USB Configuration from an ESXi Host to a Virtual Machine