Kerberos Delegation problems when sites are on the same machine

Question

I have one server that hosts two sites, one is a webapi site and another is wcf site like below, the identity is the wcf site, the sql is the webapi site:

IIS Sites Settings

And I set accounts for both of them as their App pool identity

identity site -> kerberos\identity

sql site -> kerberos\sql

and both of the sites use Windows Authentication, and the sql site also enable Asp.Net Impersonation, also enable the useAppPoolIdentity in system.webServer.authentication.windowsAuthentication and Impersonate user after authentication in Local Security Policies.

The two accounts have set SPNs and Delegation in AD, like: Sql Account and Identity Account

Now, my sql site must call the service in identity site, impersonate the user to call the service, but I fail to impersonate the user. In sql site, I use HttpContext.Current.User.Identity to get the user and the user is right, but in identity site, using Thread.Principle.Identity always get the sql site App pool identity. I don't know why it fails.

In the webapi code, I use

using((HttpContext.Current.User.Identity as WindowsIdentity).Impersonate())
{
    callService();
}

or

WindowsIdentity.RunImpersonated((HttpContext.Current.User.Identity as WindowsIdentity).AccessToken, () =>
 {
       callService();
 });

Both not works, I have succeed this process in previous environment but this is not, it always fail when calling the identity site service.

And I setup this environment for simulating the procedure of AAD App Proxy to confirm that our webapi project can call the wcf service with the exact user in our production environment. The test environments are on the local Hyper-V, also the AD controller.