This is more difficult than it should be, quelle surprise
What do I actually mean?
An XBAP is a WPF browser application, and the XBAP is actually an xml document that tells internet explorer and presentationhost.exe how to host the WPF application.
As the whole idea of the XBAP application is to run in the browser, not unreasonably it runs in a security sandbox.
The problem lies with any control that uses special permissions (guilty = datagrid in WPFToolkit) or if you try to use anything in WCF other than basicHttpBinding or wsHttpBinding (with most things turned).
The trick for WCF is to make sure that the xbap project runs from the same web root as the wcf project.
Not even silverlight is this restricted – why oh why can’t we use duplex http or similar wcf with xbap????
Anyway there is an excellent article by someone here, it shows you how to set up your xbap and wcf projects