I received confirmation from PayPal that this is a bug.
This appears to work with the regular Payflow Pro API calls, but fails when passing the CUSTREF using a Secure Token API call or hosted pages (using Secure Token).
The recommended work-around was to pass the field through in the comments.