The common error that users will run into for the personal card scenario is that the WCF service cannot verify the signing credentials of the saml token. This is because the personal card will trigger the card space runtime to issue a saml token signed by rsa key. And you need to turn on one boolean to make it work.

sh.Credentials.IssuedTokenAuthentication.AllowUntrustedRsaIssuers = true;