TCP/UDP ports that cannot be bound (permission error), but don't show up in netstat
Through trial-and-error (shutting down services and testing if the port can be bound), I determined the cause to be the Internet Connection Sharing (ICS) service. I apparently had it enabled on an interface (to provide my hosted wifi used for testing with internet), and it was probably reserving those ports for NAT.
Note that in general, it is possible for programs to bind a port, but not listen to it. They will still block the port, but they will not appear on netstat. I have created a separate question regarding how to detect such ports/programs.