I think I found it. When packets come in from a promiscuous interface,
they are given more scrutiny, and my packets fail. See in
/sys/net/if_ethersubr.c, in ether_input():

724	if ((m->m_flags & (M_BCAST|M_MCAST)) == 0 &&
	    (ifp->if_flags & IFF_PROMISC) != 0 &&
	    memcmp(LLADDR(ifp->if_sadl), eh->ether_dhost,
	       ETHER_ADDR_LEN) != 0) {
	    m->m_flags |= M_PROMISC;
    
During the problematic tcpdump, IFF_PROMISC is indeed set, and the
destination ethernet address is that of the physical interface, not the
tap one (I send the same packets via tun as I would via bpf, after all).
So M_PROMISC gets set.

Further down,

775 switch (etype) {
...
855 default:
	if (m->m_flags & M_PROMISC) {
	    m_freem(m);
	    return;
	}

it is dropped.

So not only do I need to clone the IP address and netmask from the
physical interface, I need to clone the ethernet address as well
(SIOCSIFPHYADDR). And, that works. So thanks Greg for suggesting the
promiscuous angle!

-Olaf.
-- 
___ Olaf 'Rhialto' Seibert      -- You author it, and I'll reader it.
\X/ rhialto/at/xs4all.nl        -- Cetero censeo "authored" delendum esse.