this is how we do this in the constructor of our webservice:
if (OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets == null)
throw new SecurityException ("No claimset service configured wrong");
if (OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets.Count <= 0)
throw new SecurityException ("No claimset service configured wrong");
var cert = ((X509CertificateClaimSet) OperationContext.Current.ServiceSecurityContext.
AuthorizationContext.ClaimSets[0]).X509Certificate;
//this contains the thumbprint
cert.Thumbprint