I would have thought that one could basically switch the client credentials from this:

var clientCredentials = new ClientCredentials();
clientCredentials.UserName.UserName = "MyUserName"
clientCredentials.UserName.Password = "MyPassword"

to:

var clientCredentials = new ClientCredentials();
clientCredentials.ClientCertificate.Certificate = myX509Certificate;

and then create a wsTrustChannel to get a security token.

wsTrustChannelFactory.SetCredentials(clientCredentials);

var channel = _wsTrustChannelFactory.CreateChannel(new EndpointAddress(endpointAddress));

var token = channel.Issue(new RequestSecurityToken
{
    TokenType = tokenType,
    AppliesTo = new EndpointReference(realm),
    RequestType = RequestTypes.Issue,
    KeyType = KeyTypes.Bearer
}, out requestSecurityTokenResponse);

The username and password work fine, just using the certificate complains that there's no UserName specified. I was under the impression that the token issuer would look up the associated user from the certificate. Where am I going wrong here?

EDIT - Double whoops! I was using a UserNameWSTrustBinding for the endpoint, when I should have obviously been using a CertificateWSTrustBinding. Making this change solved this issue.

EDIT - I thought I'd solved this as below, but it's still asking for a Username even on this endpoint. Any ideas?

Whoops! Worked this out about 5 minutes after I posted the above question. There's a different endpoint address for the certificate authentication:

https://servername/identityserver/issue/wstrust/mixed/certificate

instead of

https://servername/identityserver/issue/wstrust/mixed/username