UserPrincipalEx Access Denied when changing password Windows Server 2016 AD

I was using the following code fine in my old environment:

      PrincipalContext ctx = new PrincipalContext(ContextType.Domain,
                Environment.GetEnvironmentVariable("DOMAIN"),
                Environment.GetEnvironmentVariable("USER_OU"),
                Environment.GetEnvironmentVariable("SERVICE_USERNAME"),
                Environment.GetEnvironmentVariable("SERVICE_PASSWORD"));

        UserPrincipalEx usr = new UserPrincipalEx(ctx);

        usr.Name = ticket.FirstName + " " + ticket.LastName;
        usr.SamAccountName = ticket.Username;
        usr.GivenName = ticket.FirstName;
        usr.Surname = ticket.LastName;
        usr.DisplayName = ticket.FirstName + " " + ticket.Account.LastName;
        usr.UserPrincipalName = ticket.Username + "@" + Environment.GetEnvironmentVariable("DOMAIN");
        usr.Enabled = enabled;

        try
        {
            usr.Save();
            usr.SetPassword(temppwd);
            usr.ExpirePasswordNow();
        }

I can save the user and it appears in AD, however SetPassword no longer works:

[IIS EXPRESS] Request started: "POST" https://localhost:5001/create
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   --- End of inner exception stack trace ---
   at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
   at System.DirectoryServices.AccountManagement.SDSUtils.SetPassword(DirectoryEntry de, String newPassword)
   at System.DirectoryServices.AccountManagement.ADStoreCtx.SetPassword(AuthenticablePrincipal p, String newPassword)
   at System.DirectoryServices.AccountManagement.PasswordInfo.SetPassword(String newPassword)
   at System.DirectoryServices.AccountManagement.AuthenticablePrincipal.SetPassword(String newPassword)

My service account is a Domain Admin (dev environment only) and I get the same error if I try my own AD creds.

I have tired calling SetPassword() before Save() but it fails at the same point.

The only difference is that I have AD and IIS on the same server.