It looks like the 'Recipient' attribute of the SubjectConfirmationData element is incorrect. Per http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf, section 4.1.4.2:
The bearer <SubjectConfirmation> element described above MUST contain a <SubjectConfirmationData> element that contains a Recipient attribute containing the service provider's assertion consumer service URL and a NotOnOrAfter attribute that limits the window during which the assertion can be delivered. It MAY contain an Address attribute limiting the client address from which the assertion can be delivered. It MUST NOT contain a NotBefore attribute. If the containing message is in response to an <AuthnRequest>, then the InResponseTo attribute MUST match the request's ID.
Look at your vCD Org metadata, you'll find an AssertionConsumerService element; the 'Recipient' field should be the URL of that element.
