The RST call from STS client (STSClient.requestSecurityToken(...)) only sends the AppliesTo element first time the call is done. On subsequent calls it is omitted.
Apparently this happens because the IssuedTokenInterceptorProvider sets the STSClient's addressingNamespace field to null in a finally block of the issueToken(...) method (org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider line 544). The STSClient requires this field to be non-null to set the element.
A workaround is to enable the «addressing» feature on the CXF bus. This makes sure that an AddressingProperties is available on the message context, whic STS client uses as an alternative way to get the addressingNamespace property: