If you find yourself running into this error, here’s one solution that you might not find elsewhere (at least at the time of this writing). Check the SSL Settings > Require SSL checkbox for the SharePoint Web Services site and the SecurityTokenServiceApplication subnode. Make sure that it is unchecked as SharePoint accesses it locally over port 80.
This is an obscure self-own, but if you like to set your IIS configuration via script, it’s easy to accidentally set this and (seemingly) brick your WFE.