I found the solution (I am using Thinktecture Identity Server). I had to set up a delegation account that my web application uses (webappaccount) to delegate to the realm my service is in by going to Identity Delegation->Add Realm in identity server, and in my web application I had to make a service call to my STS providing the bootstrap token to receive a new security token which I can then use to authenticate to my service.

In the web app config I set:

<system.identityModel>
    <identityConfiguration saveBootstrapContext="true">

and in my web app the code to access my service looks like:

BootstrapContext context = ClaimsPrincipal.Current.Identities.First().BootstrapContext as BootstrapContext;

var factory = new WSTrustChannelFactory(
    new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential), _trustUrl);
factory.TrustVersion = TrustVersion.WSTrust13;

factory.Credentials.UserName.UserName = "webappaccount";
factory.Credentials.UserName.Password = "P@ssword";

var rst = new RequestSecurityToken
{
    RequestType = RequestTypes.Issue,
    KeyType = KeyTypes.Bearer,
    AppliesTo = new EndpointReference(_realm),
    ActAs = new SecurityTokenElement(context.SecurityToken)
};

var token = factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;

var client = new HttpClient
{
    BaseAddress = _baseAddress
};

client.SetToken("SAML", token.TokenXml.OuterXml);

var response = client.GetAsync("api/values").Result;

My REST service did not require any changes.