Simple certificate security of a WCF service using Message security mode

I'm struggling with what seems like a simple task: Create a secure WCF service with Message security option. WCF service should only respond to clients that provide a valid X509 certificate. Once the clients are authenticated, it should treat them as anonymous users but execute their requests. Http is used, not HTTPS. wsHttpBinding.

I've created a self-signed cert with a custom-made root authority cert. I've uploaded both to the web servers. I've installed both properly. I've given the self-signed certificate read-only access to private keys to "Everyone" (at least for now to eliminate key-permission issues).

I've installed the self-signed cert on the client machines. I'm supplying the call to my WCF service with the client certificate. I'm getting the following error: {"The request for security token could not be satisfied because authentication failed."} The Web-servers are reporting a "Logon Failure" security event in the Event Viewer:

Subject:
    Security ID:        SYSTEM
    Account Name:       WEB-XXXXX
    Account Domain:     XXXXXX
    Logon ID:       0x3e7

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       
    Account Domain:     

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc0000064

Here is the relevant web.config of the WCF service:

  <system.serviceModel>

    <bindings>
      <wsHttpBinding>
        <clear/>
        <binding name="wsHttpBindingSecure">
          <security mode="Message">
            <message clientCredentialType="Certificate"/>
            <transport clientCredentialType="None"></transport>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>

    <services>
      <service behaviorConfiguration="LegacyServiceBehavior" name="RDC.External.MainSite.LegacyDataProvider.WCF.LegacyService">
        <endpoint address="secure" bindingConfiguration="wsHttpBindingSecure" binding="wsHttpBinding" name="Secure" contract="RDC.Domain.Commerce.Common.ILegacySecureService">
          <identity>
            <certificateReference findValue="legacyservice" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
          </identity>
        </endpoint>
      </service>
    </services>

    <behaviors>
      <serviceBehaviors>
        <behavior name="LegacyServiceBehavior">
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <serviceCertificate findValue="legacyservice" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
  </system.serviceModel>

Here is the relevant section from client's app.config:

  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="Secure" closeTimeout="00:01:00" openTimeout="00:01:00"
            receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
            transactionFlow="false" hostNameComparisonMode="StrongWildcard"
            maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
            messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
            allowCookies="false">
          <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
              maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <reliableSession ordered="true" inactivityTimeout="00:10:00"
              enabled="false" />
          <security mode="Message">
            <message clientCredentialType="Certificate" negotiateServiceCredential="true"
                algorithmSuite="Default"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://www---url---.com/secure"
          binding="wsHttpBinding" behaviorConfiguration="secureBehavior" bindingConfiguration="Secure" contract="RDC.Domain.Commerce.Common.ILegacySecureService"
          name="Secure">
        <identity>
          <certificateReference x509FindType="FindBySubjectName" findValue="legacyservice" storeLocation="LocalMachine" storeName="My"/>
        </identity>
      </endpoint>
    </client>
    <behaviors>
      <endpointBehaviors>
        <behavior name="secureBehavior">
          <clientCredentials supportInteractive="false">
            <clientCertificate x509FindType="FindBySubjectName" findValue="legacyservice" storeLocation="LocalMachine" storeName="My"/>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>

I've been struggling with this for the last 3 days and am at the last of my efforts... any suggestions as to what I'm doing wrong?

Thank you kindly