It's always your ADFS certificates!

Despite the fact that the error message in the event logs for your Microsoft Dynamics CRM 2013 on-premise installation say...
28005
Cannot execute as the database principal because the principal "dbo" does not exist, this type of principal cannot be impersonated, or you do not have permission.

...you'll find when you finally enable tracing with the crmdiagtool that the error in the CRM logs instead says....

System.IdentityModel.Tokens.SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

The solution (and you're even more annoyed because you've tried all the bits of it except clicking through the claims-based wizard in the CRM Deployment Manager:

Update the federated metadata on the two relying party trusts in ADFS manager;
Click through the claims-based authentication wizard AND the IFD wizard in CRM;
Restart ADFS Service;
Restart IIS;
(Try all 4 again if it still doesn't' work...)
and now you're all good!