Finally, Google support guided me to the answer.

The iam.disableCrossProjectServiceAccountUsage constraint (organization policy) was Enforced (as it is by default apparently), preventing me from attaching a service account from project2 to a resource in project1.

I set the constraint to Not Enforced in project2 and I was able to execute the command successfully.

The error message is very misleading and the logs didn't hint towards the constraint either.