Hmm, on Chrome and Firefox on Android Marshmallow, this doesn't work, as it fails to ask for location permission. It does work on desktop Linux Chrome, which I'm guessing is using some Geo-IP stuff for the API.
On checking, my Android Chrome does have the setting "Location: ask before accessing enabled". (As opposed to the alternative which is "Blocked"). It also has the Location app permission enabled.
Aha - I should have remembered this - on adding an error callback, and examining the error object it gets passed, it's becuase only secure origins are allowed. I'm using Python's SimpleHTTPServer, wonder what the simplest secure equivalent is....
... end up yak shaving and setting up a public test site with proper LetsEncrypt cert. Hohum....
Gnnn - seems like Android Blink has "quirks"; the API call never returns - not even calling the error callback if no timeout is specified - if the "just GPS" location mode is enabled. (Perhaps it would work if the phone is outside? It's raining right now though...) Firefox didn't have any such problems, although quite possibly the returned coords are bogus, I haven't checked.
External references: