In Windows Vista and later, LogonUser returns a non-privileged token, even if the user provided is an administrator. Thus, when you impersonate using that token, you are non-elevated. Given a correct username and password for an administrator user, how do you run code that has elevated privileges for that administrator?
If you are writing a Windows service, using LOGON32_LOGON_SERVICE instead of LOGON32_LOGON_INTERACTIVE or LOGON32_LOGON_NEW_CREDENTIALS will result in a privileged token, as long as the user you want to impersonate has 'log on as a service' permissions.
This doesn't provide a general solution (it won't work if you're writing a user-facing application), but is sufficient to solve the specific problem I had.