The answer is pretty clear:
All the Linux namespace wrappers (bubblewrap, NixOS user chroot, firejail, etc.) seem to enforce PR_SET_NO_NEW_PRIVS 5 which means suid binaries cannot be executed. Rightfully so, in my opinion, because suid binaries allow the jailed application to break out and elevate its privileges.
I.e., for security reasons, this is not possible. If you want to run a command as root, you have to do it in a terminal not launched by vscode.
Alternatively, you could use the vscode (or vscodium) versions that are not inside an fhs env. Those cannot use extensions that aren’t specifically tweaked to run on NixOS, though - such extensions do live inside nixpkgs, so it’s viable (and I’d argue preferable), just less convenient.