The certificates in SSL/TLS are only used for authentication, the encryption itself is done by shared keys negotiated during the handshake.

If you want to use certificates, you’ll always need at least the SSL/TLS server to have a certificate (which may be the TCP client). You can indeed swap the role of the client and server when making the connection. That is, the SSL/TLS server doesn’t have to be the TCP server, but can be the TCP client. See definition in the specification glossary:

  client
      The application entity that initiates a TLS connection to a
      server.  This may or may not imply that the client initiated the
      underlying transport connection.  The primary operational
      difference between the server and client is that the server is
      generally authenticated, while the client is only optionally
      authenticated.

However, doing so can lead to difficulties. Just like a server in a traditional SSL/TLS connection can’t detect whether the request have been through a MITM (it’s solely the client’s responsibility to check the server certificate, without client-certificate authentication), making the TCP client be the SSL/TLS server makes it hard for the TCP client to know that it’s talking to the TCP server it intended: the server could in fact be a MITM. You’d need to consider whether this suits your needs.

In Python, you should be able to choose the orientation of your SSL/TLS socket using the server_side parameter of ssl.wrap_socket.

The server would still have the private key for the certificate the
client uses.

This doesn’t make sense at all. Private keys should be kept private by the party to which the certificate was issued.

Perhaps you’re after a Pre-Shared Key mechanism instead.