After some searching, we discovered that iTunes for Windows doesn’t support TLS 1.1+.
We had disabled TLS 1.0 (and lower) on our servers as an easy way of complying with the upcoming PCI requirements, and then received reports of listeners unable to download podcast audio in iTunes. After a bunch of investigation (involving staring at Wireshark), we finally realized that iTunes was failing the TLS negotiation with the server. Reenabling TLS 1.0 (except for the pledge forms) fixed the issue.
Presumably, Apple will need to support newer TLS by June 30, 2018 to continue to support credit cards in iTunes.