I eventually found that an ISAPI filter called IBsys.dll, which I didn't recognize, was actually part of server security software produced in China.
That software was filtering all requests and blocking ones it didn't know about. That software had to be configured with the new host header.
So, if you encounter something similar, scrutinize your ISAPI filters.