permission denied (publickey)

Another ssh publickey question

git clone git@bitbucket.org and ssh -T git@bitbucket.org both fail.

I have:

- confirmed that the key is in bitbucket.org

- confirmed that the key is in my ssh agent (I use it daily on other servers too)

- confirmed that ssh is reading my key

The only thing I haven't yet confirmed is that bitbucket.org seems to write my key without an identifier (usually an e-mail address) stripped off.

So in my ssh config I've got:

host bitbucket.org
  IdentityFile ~/.ssh/id_rsa_work
  IdentitiesOnly yes

and ssh -v -T git@bitbucket.org gives:

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to bitbucket.org:22 as 'git'
[truncated because community.atlassian]
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:VEHUoFZPfkJ+2rdmtALHk0r8e3/HbUWKaFRmiL1HK4w
debug1: Host 'bitbucket.org' is known and matches the ECDSA host key.
debug1: Found key in ~/.ssh/known_hosts:530
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ~/.ssh/id_rsa_work
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).