How to create a private namespace that can be opened in UWP/AppContainer app?

Question

From the full trust app I create the namespace like this:

string boundaryName = Guid.NewGuid().ToString();
using var boundary = new BoundaryDescriptor(boundaryName,
                                            // tried None aka 0 too
                                            CreateFlags.AddAppContainerSID);
// calls AddSIDToBoundaryDescriptor
// also tried WinBuiltinAnyPackageSid
boundary.Add(WellKnownSidType.WorldSid); 
// calls AddIntegrityLabelToBoundaryDescriptor
boundary.Add(WellKnownSidType.WinLowLabelSid);

Debug.WriteLine($"boundary: {boundaryName}");

string name = Guid.NewGuid().ToString();
// uses default security
// e.g. non-null SECURITY_ATTRIBUTE
// with null lpSecurityDescriptor
using var ns = new PrivateNamespace(boundary, name, destroyOnClose: true);
SleepForever();

Then I copy the boundary name and the namespace name to the sandboxed UWP app, and call

using var boundary = new BoundaryDescriptor(boundaryName,
                                            CreateFlags.AddAppContainerSID);
// calls AddSIDToBoundaryDescriptor
boundary.Add(WellKnownSidType.WorldSid);
// calls AddIntegrityLabelToBoundaryDescriptor
boundary.Add(WellKnownSidType.WinLowLabelSid);
using var ns = PrivateNamespace.Open(boundary, name);

The Open call fails, and I get error 3 ERROR_PATH_NOT_FOUND.

What is it that I need to do to let the sandboxed app open my namespace?

Do I even need to pass the boundary name?

UPD. I even tried to explicitly set namespace security:

DeriveAppContainerSidFromAppContainerName(packageFamilyName,
                                                    out var containerSID);
string sid = ConvertSidToStringSid(containerSID);
security.AddAccessRule(new(new SecurityIdentifier(sid),
                            FileSystemRights.FullControl,
                            AccessControlType.Allow));