Looking at the code, the XSS Sanitize Java Action uses the OWASP project.
For images, it uses the built in image sanitizer method, and the comment for this is that it only allows values in the src element to be http, https, or relative urls. This would block data urls, which is what you are seeing.
To change this behaviour I think you are going to have to write your own version of the XSS Sanitize action to not use the image sanitizer provided, but to use your own rules.
In addition to Robert's answer, this StackOverflow seems to suggest you can add a policy to allow data type entries in your policy. So you could extend the existing functions by adding an additional policy definition. But it would definitely require some additional Java coding.