well, it looks like I solved it... all I needed was a good night sleep 🙂
Turns out that my Route for Service2 was using the sending service instead of the target service, so effectively I was trying to send to myself using the certificate of the target.
I should write a tool that auto generates the code for these things!
Thanks to those who looked at this, sorry to waste your guys time.