Time for an update!  After a great deal of trial-and-error, I have managed to determine:

1. In order for the Turn on Fault Tolerance wizard to appear when the menu item is chosen, the user must have a minimum of read-only permissions to the cluster, in addition to the documented permissions on the VM.  The first stage of the wizard is choosing the storage for the secondary VM, and in our case the only datastore available is vsan, so this may have something to do with it.  Giving the user permissions to the datastore doesn't work.  It has to be the cluster.  We don't particularly want this restricted administrator to have visibility of the cluster, but at least they can't make any changes.

2. In order to get past the second stage of the Turn on Fault Tolerance wizard, the user must have a minimum of read-only rights to at least one host.  In practical terms they will need rights to at least two hosts in case the primary is already on the single host they have rights to.  Again we would prefer this restricted administrator not have visibility of any hosts.  We would prefer to have DRS place the secondary VM automatically but this doesn't seem to be possible.

I don't know whether either of the above are deliberate design choices or bugs in vCenter, but in either case they don't seem to be documented *anywhere*.  Even VMware support hasn't been able to provide this information.  Hopefully anyone else who needs it can find it here.