Turns out I was using the wrong messageSecurityVersion
value. With a value of WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
only a single signature is added to the SOAP header.
Afterwards the server was able to understand the requests. Some tweaks to the defaultAlgorithmSuite
and now service and client are talking and understanding each other.