You don't need a virtual machine to sandbox C++; or rather, there's already a virtual machine in action, in the form of virtual memory and CPU privilege levels. The only way C++ (or any other native language) has to access to the outside its world is through calls to the kernel. Without direct file I/O APIs, options are even more limited (e.g. you can't easily write your own DLL loader).
OS X/iOS use a 'sandbox' driver that utilizes TrustedBSD MAC infrastructure ( https://developer.apple.com/library/mac/#documentation/Darwi... ).
Basically, most system calls can be verified against one or more policy modules, and blocked if non-compliant.
Not really possible with Windows and its bajillion of syscalls (1000 in win32k alone afair)
It may be C++ but it is managed C++ that runs on the above the WinRT layer just like C#, and Javascript for metro. It will have the same restrictions as the other languages. It is actually interesting, in fact when you start a metro project at least in beta, you get the WinRT libraries and that's it. A ton of the traditional .NET classes have been moved into the WinRT library or removed all together.