I was facing the same problem with an MVC 3/WinForms hybrid app with Windows Authentication. I spent some time trying to determine the minimum permissions required for the report to run. For me, this also works:

var permissionSet = new PermissionSet(PermissionState.None);
var flags = SecurityPermissionFlag.Execution | 
            SecurityPermissionFlag.ControlPrincipal;
var permission = new SecurityPermission(flags);
permissionSet.AddPermission(permission);

ReportViewer.LocalReport.SetBasePermissionsForSandboxAppDomain(permissionSet);

Depending on how paranoid you are, you might feel safer with a bit more locked down permission set.

Sadly, I have no explanation for why these particular permissions are necessary and don't know if others are needed under different circumstances, but I hope this is useful.

This works:

var reportInstance = new LocalReport();
reportInstance.SetBasePermissionsForSandboxAppDomain(new PermissionSet(PermissionState.Unrestricted));

I don't really understand why. I do understand that the report is being granted permissions it can't get from WIF, but I don't understand which permissions those are or why it needs them. So, my answer "gives a man a fish," but can someone else "teach a man to fish" by explaining the deeper issue?