DCOM will strip privileges from the token that are not explicitly enabled. That's a DCOM design -- not MSI and since custom actions are 3rd party code, they are not hosted in-proc but rather in a sandbox process. You'll find that MSI actually worked around this design limitation of DCOM in MSI 3.0 itself.
If that privilege is not already enabled within the token, then it will not be available due to the DCOM behavior.
Content credit also belongs to