ACS chooses keys to sign a JWT in the following precedence order:
- Relying party symmetric key
- Relying party certificate
- Service-wide certificate
What you don't see anywhere on this list is a Symmetric service key, because there are security issues with using a symmetric key between more than two entities.
What this means is that your key needs to be associated with the relying party, not the namespace, as in the following screenshot.