The error is:
WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'http://MY-ADFS/adfs/services/trust'.
I have a simple WIF application circa VS 2012 that I use to display claims and ported it over to use on ADFS 4.0.
Then I got the above error.
The solution is as per Signing key rollover in Azure Active Directory.
Yes - it says AAD but the client-side code for ADFS is the same since it's all driven from the metadata.
Use the code from: "Web applications protecting resources and created with Visual Studio 2012".
When I compared the web.config changes, the error seemed to be because the server name is "MY-ADFS" (in caps) but I had written "my-adfs" (no caps) in the web.config.
The thumbprint was also in caps. (Although I've never had an issue with that).
It gives you a nice comment:
"Element below commented by: ValidatingIssuerNameRegistry.WriteToConfg on: '20/03/2017 1:00:16 a.m. (UTC)'. Differences were found in the Metadata from: ..."