Please confirm if you have created both the following rules for Impersonatee realm and attached it to relevant policy :
Rule 2 : ImpersonateStart
Resource = *
Action = ImpersonateStart
Rule 3 : ImpersonateStartUser
Resource = *
Action = ImpersonateStartUser
Can you share screenshot of your impersonatee relam configuration and the relevant agent trace logs when the impersonation flow breaks ? Are you using same security zone in both the ACO ?