well, it looks like I solved it... all I needed was a good night sleep 🙂

Turns out that my Route for Service2 was using the sending service instead of the target service, so effectively I was trying to send to myself using the certificate of the target.

I should write a tool that auto generates the code for these things!

Thanks to those who looked at this, sorry to waste your guys time.