But in order to broadcast the transaction you will need to use the internet. So this requires importing the private key to an application that's connected to the internet. Therefore your wallet immediately becomes hot.
Nope, you don't have to. You can create a transaction and sign it offline. Regardless, the security of the paper wallet is compromised even if you were to only expose your private key when you're spending. If you want to be safe, you should not expose your private key to a computer that is connected to the internet at any point in time.
If you have a synchronized Bitcoin Core instance, you can get the raw transaction and use testmempoolaccept to test if it is valid without broadcasting.