Good news, I took a closer look with wireshark, read up about AFP permissions, and trudged through the source code and found my problem.
As far as POSIX ACLs and group membership is concerned, I discovered Netatalk does the permission mapping by looking up the groups the user belongs to and seeing if permission is granted by any of the ACEs. That lead me to find that my winbind was broken and not expanding nested groups. As a test, I added a user to the group directly and Finder began allowing writes.
Would it make more sense to use access() to determine what permissions the user has?
Now I just need to get to the bottom of the winbind issue...
Many thanks for getting me in the right direction!