'Access Denied' when access s3 from angular app with cognito user pool

I have S3 bucket which I configured to manage access using cognito user pool, as described here https://docs.amazonaws.cn/en_us/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket-name>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "cognito/<app-name>/"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/cognito/<app-name>/${cognito-identity.amazonaws.com:sub}*",
                "arn:aws:s3:::<bucket-name>/cognito/<app-name>/${cognito-identity.amazonaws.com:sub}/*"
            ]
        }
    ]
}

I have angular web app which authenticate users with cognito user pool, and I'm using S3 client to get object. I see a call to cognito service (https://cognito-identity.eu-central-1.amazonaws.com/) is made successfully, and an identity is returned as a response, but the immediate call afterwards to s3 is failing with status code 403:

<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>AAC2B5FC5C74C971</RequestId><HostId>l8AOygYbUT+Y1QhTjHydRJ9Uxc97ElSZ+l6H2RQlNglpQuZrqQPW532U6Pixil7YPZ4ugpreoSs=</HostId></Error>

Here's my code setting AWS creds:

    buildCognitoCreds(idTokenJwt: string) {
        let url = 'cognito-idp.' + CognitoUtil._REGION.toLowerCase() + '.amazonaws.com/' + CognitoUtil._USER_POOL_ID;
        if (environment.cognito_idp_endpoint) {
            url = environment.cognito_idp_endpoint + '/' + CognitoUtil._USER_POOL_ID;
        }
        let logins: CognitoIdentity.LoginsMap = {};
        logins[url] = idTokenJwt;
        let params = {   
            IdentityPoolId: CognitoUtil._IDENTITY_POOL_ID, /* required */
            Logins: logins
        };        
        let serviceConfigs = <awsservice.ServiceConfigurationOptions>{};
        if (environment.cognito_identity_endpoint) {
            serviceConfigs.endpoint = environment.cognito_identity_endpoint;
        }
        let creds = new AWS.CognitoIdentityCredentials(params, serviceConfigs);
        this.setCognitoCreds(creds);
        return creds;
    }

What am I missing?
No matter what I try, I'm getting Access Denied.