It turns out this was quite specific to the context described above. I was using uWSGI to serve my site using emperor mode. I set the parameters uid=www-data and gid=www-data. I expected this to cause my vassal processes to have the permissions associated with the user and the group www-data as well as the permissions associated with any group to which www-data (the user) belongs. This assumption is incorrect. Vassals do not run (by default) with any supplementary group ids.
It turns out uWSGI (in recent versions) has a fix for this. You can manually specify add-gid=mygroup in the uWSGI configuration. You can specify this parameter many times to add as many gid's to a vassal process as your heart desires. This feature is only available as of uWSGI 1.9.15 so you might need to upgrade to use this approach.
Full writeup here.
