Ssh – How to stop ssh-agent trying all keys with agent forwarding

Often I'll connect via SSH to VM instances to deploy code from private Bitbucket repositories, cloning repositories via git over SSH. Today I was getting the error:

conq: repository access denied. deployment key is not associated with the requested repository.

A quick search showed it was the problem described in Repository access denied. access via a deployment key is read-only. The issue is my forwarded SSH agent was trying to connect to Bitbucket with a Vagrant development key that I'd added since I'd last tried to clone a private repository over SSH. (Removing the Vagrant key from my .ssh directory allowed me access to the private repositories again.)

My SSH config is:

Host bitbucket.org
  User git
  IdentityFile ~/.ssh/bitbucket_key
  IdentitiesOnly yes

and locally this seems to behave as expected. The output of ssh -v git@bitbucket.org shows

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/me/.ssh/bitbucket_key

whereas when I'm connected to another server over SSH:

debug1: Offering RSA public key: steve@not_a_bitbucket_key
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: steve@still_not_a_bitbucket_key
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: steve@bitbucket_key

Is there some other configuration other than IdentitiesOnly that I'm missing to ensure only the requested keys are sent to particular servers when using agent forwarding?

Running Ubuntu 12.04 with OpenSSH 5.9p1 installed.