Major Description
PsImpersonateClient firstly ensures that the token we'll be going to provide it to the call can be actually impersonated in the first place, amongst other necessary requirements to be met (process' token mustn't be restricted, and so forth). Otherwise the kernel makes a copy of the token accordingly, to satisfy the caller's request.
None of that is done in ReactOS and that leads to inconsistencies and whatever issues might arise whilst impersonating. The SRM/Se component provides SeTokenCanImpersonate for use for the kernel, which is currently not implemented in our codebase.