Yep, tox will never do system level changes, is outside its scope. From some point of view it can even be considered against it scope (isolation).
That one identifies missing dependencies and fails the run if some are missing, making execution less confusing for the user.
Some CI/CD systems are able to install bindep dependencies automatically, like Zuul CI.
You could also write some ansible playbooks (or shell scripts) and run them if needed, that being another common approach.
Keep in mind that installing missing system dependencies is the kind of feature that keeps giving... bug reports. You can never have full coverage of all possible environments on which someone will try to run your code. Just be warned, saying this because I got hit by it myself.
Cheers
Sorin