FWIW I seem to have found a solution.
I had added a call to
but it hadn't worked.
Later in debugging I found that that call was trying to renew the Proxy User, not the underlying principal.
I changed the call so that it would get the principal's ugi and call the same method on that and now it seems to work.
There are still outstanding questions, though, if anyone cares to investigate further: