If using WS-SecurityPolicy, Subject Confirmation requirements are enforced on SAML Tokens. So for HolderOfKey, the subject credential of the SAML Assertion must have been used to sign some portion of the message, or else must match a client certificate if 2-way TLS is used. For SenderVouches, the SAML Assertion and SOAP Body must be signed by the same credential (TLS or message level).
However, this is not enforced for the non WS-SecurityPolicy approach, which uses simple WSS4J actions. This task is to add this support to CXF. It will be enabled by default in CXF 2.7.1, but disabled by default in CXF 2.5.6 and 2.6.4. It is configurable via the jaxws property SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION ("ws-security.validate.saml.subject.conf").