EDIT - Double whoops! I was using a UserNameWSTrustBinding for the endpoint, when I should have obviously been using a CertificateWSTrustBinding. Making this change solved this issue.
EDIT - I thought I'd solved this as below, but it's still asking for a Username even on this endpoint. Any ideas?
Whoops! Worked this out about 5 minutes after I posted the above question. There's a different endpoint address for the certificate authentication:
https://servername/identityserver/issue/wstrust/mixed/certificate
instead of
https://servername/identityserver/issue/wstrust/mixed/username