How can I modify the Serverless Image Handler template to work with protected images in my S3 bucket?

I followed the instructions in this guide: https://docs.aws.amazon.com/solutions/latest/serverless-image-handler/architecture-details.html#image-url-signature

The solution works for public images in my S3 bucket, however, I need to make also protected images work. I have tried editing the template with these changes:

• Enable Signature -> Yes
• SecretsManager Secret -> my-secret
• SecretsManager Key -> my-key

When I submit the changes, it fails. The logs show me this error:

ERROR	AWS Secrets Manager secret or signature might not exist: my-secret/my-key
INFO	Received event: {
    "RequestType": "Create",
    "ServiceToken": "arn:aws:lambda:us-east-1:081638151084:function:ServerlessImageHandler-CommonResourcesCustomResour-xbxoDZtFxCNH",
    "ResponseURL": "https://cloudformation-custom-resource-response-useast1.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A081638151084%3Astack/ServerlessImageHandler/34f1bd70-4085-11ee-ab17-0eb5866a32df%7CCommonResourcesCustomResourcesCustomResourceCheckSecretsManagerAEEEC776%7Ce9798850-6ac9-4edd-bcf5-4e53deb62d22?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20230916T010945Z&X-Amz-SignedHeaders=host&X-Amz-Expires=7200&X-Amz-Credential=AKIA6L7Q4OWT4KI6JZ7U%2F20230916%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=dee2a6fd4b82133bb800a8611cd9a1f8bf0f4d6257b9035c1c6207a6ec9b5b92",
    "StackId": "arn:aws:cloudformation:us-east-1:081638151084:stack/ServerlessImageHandler/34f1bd70-4085-11ee-ab17-0eb5866a32df",
    "RequestId": "e9798850-6ac9-4edd-bcf5-4e53deb62d22",
    "LogicalResourceId": "CommonResourcesCustomResourcesCustomResourceCheckSecretsManagerAEEEC776",
    "ResourceType": "AWS::CloudFormation::CustomResource",
    "ResourceProperties": {
        "ServiceToken": "arn:aws:lambda:us-east-1:081638151084:function:ServerlessImageHandler-CommonResourcesCustomResour-xbxoDZtFxCNH",
        "SecretsManagerKey": "my-key",
        "CustomAction": "checkSecretsManager",
        "SecretsManagerName": "my-secret"
    }
}

My secret and key have uppercase and lowercase alpha characters, numbers, and as non-alphanumeric I use ".", "-", "_", "@", "+". Those are valid characters for Secrets<anager, right?

I also added the SecretsManagerReadWrite policy to the ServerlessImageHandler-CommonResourcesCustomResour-xxxx role..

What am I missing?