Of course, it turned out that we were using NTLM authentication, we just didn't know it. So I fixed that.
I still don't know why requests with RPC_C_AUTHN_NONE as the authentication service don't trip off the security callback function (and, yes, I did set the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag in the call to RpcServerRegisterIf2). But I've worked around the problem.
Exactly why I'm the expert on this is hard to fathom, save for the fact that I can actually read documentation. From Microsoft.
And all of you who just had your eyes glaze over? It's ok. Just smile and nod. :)