In trying to create my own SAML bearer token (simulating a 3rd party)
var descriptor = new SecurityTokenDescriptor();
descriptor.AppliesToAddress = "what-should-I-put-here";
and exchange it for a JWT from ADFS, ADFS is giving the error
ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris
Other answers on the internet point you to setting entries in app.config but this was a red herring for this scenario.
The correct AudienceUri is your ADFS server with a particular path:
descriptor.AppliesToAddress = "http://my-really-frustrating-adfs-server/adfs/services/trust"