The parameters don’t perform string interpolation. It’s not a direct substitution of text into the SQL statement. The SQL statement being prepared is created using parameters, hence the @P1 in the table name reference.
Basically, if you want something interpolated into the SQL other than parameters for things like a where clause, you need to do it yourself.
(Note: Doing this creates an SQL injection vulnerability. Ensure you validate the data appropriately.)
Yes, but not relevant here. You’re trying to modify the SQL statement itself, not pass parameters to the query. It’s the string containing that statement that you need to modify for what you’re trying to do. (Alter the table name being queried.)
In this specific case, where you want to change the table name, check the value being used to alter that name to ensure it’s an approved value.
You don’t show where/how you’re using this execute statement, so I can’t determine from the information provided what the degree of risk is here. This may be a case where the processing around this statement already mitigates the vulnerability, in which case there’s nothing to worry about.
On the other hand, if this is a value being submitted from a browser, then you really need to make sure it’s clean.