The problem is resolved by removing this line from the playbook:
sudo: yes
When sudo is run on the remote host, the environment variables set by ssh during login are no longer available. In particular, SSH_AUTH_SOCK, which “identifies the path of a UNIX-domain socket used to communicate with the agent” is no longer visible so ssh agent forwarding does not work.
Avoiding sudo when you don’t need it is one way to work around the problem. Another way is to ensure that SSH_AUTH_SOCK sticks around during your sudo session by creating a sudoers file:
/etc/sudoers:
Defaults env_keep += "SSH_AUTH_SOCK"