This issue took me the best part of a day to figure out, as I had the exact same code working on another machine in the office.
It turns out that I was missing some features in IIS, and that the web.config I had carried down was looking for these features. I was missing both authentication features and the URL Rewrite module, and as a result IIS believed my web.config was malformed.
There are similar answers across the Internet that mention the URL Rewrite module, so I’d look there first.