Is it possible to do an EoiP tunnel with one end of tunnel behind CGNAT? If not is there another way to accomplish the same thing behind CGNAT?

why no, EoIP is virtual interface which is replacing the physical interface

EoIP is an application atop GRE, and GRE itself is not treated well by many NATs as it doesn't work with the notion of ports; instead, it works with a tunnel ID field which Mikrotik misuses for EoIP (and doesn't use at all for L3 GRE), so even NATs that could work with GRE using this field are unable to do so.

On top of that, all traffic from a CGNAT client may not emerge from the same public address.

Hence you have to encapsulate EoIP into some other kind of tunnel that can deal with NAT traversal, which effectively means either IPsec or L2TP. L2TP supports its own L2 tunneling mode (BCP), and it also supports internal splitting of large payload packets, preventing IP-layer fragmentation that often causes trouble on WAN. But BCP interconnects two bridges, and you cannot use vlan-filtering on these bridges directly, which may be a limiting factor.

So depending on your application, EoIP over manually configured IPsec, bare L2TP or L2TP over automaticaly configured IPsec with BCP may be the optimal setup for you. If you run RouterOS 7, EoIP over Wireguard is another option. If you need encryption, definitely use IPsec or Wireguard. If VLANs are used, EoIP is more straightforward to configure; if MTU is a concern, L2TP/BCP is better suited.

In any case, avoid L2 tunneling as much as you can, only use it when there is really no other way.