The bug is: if you supply a passphrase, it will indeed be passed to gpg and the signature will be done (the signature counter on the card is increased for example) -- however, python-gnupg will signal an error.
Adding this as an additional valid response wherever 'NEED_PASSPHRASE' is accepted works for me and allows use of the smartcard keys. However, I am not familair enough with gpg or python-gnupg to tell what other changes might be needed. I would guess that the 'PIN' is like 'SYM' in how it needs to be handled.
If this list of codes I found is comprehensive, this is the only "PIN" related response