How can I direct kubelet on EKS to contact private VPC endpoints?

I am setting up an EKS cluster without internet access. I have created private VPC endpoints for the necessary services (EC2, S3, ...), but kubelet on the worker nodes insist contacting the public EC2 endpoint instead:

kubelet: F1116 10:08:20.929730   19335 server.go:273] failed to run Kubelet: could not init cloud provider "aws": error finding instance i-0xxxxxxxxx: "error listing AWS instances: \"RequestError: send request failedncaused by: Post https://ec2.eu-north-1.amazonaws.com/: dial tcp 52.46.192.128:443: i/o timeout\""  

From the worker, I can reach the private endpoints on port 443. How can I instruct the kubelet AWS cloud provider to contact them instead? I suppose I should change something in the kubelet config file, but I cannot find the relevant documentation. I have found the relevant config reading code, but I don't read Go well enough to figure out how to tweak the config: https://github.com/kubernetes/legacy-cloud-providers/blob/243362b8233f05202b5facfe85921f5a3a87461e/aws/aws.go#L649

Or is this supposed to work via a DNS override? In that case, what is missing? I have gone through the docs at https://docs.aws.amazon.com/eks/latest/userguide/private-clusters.html and https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html, and cannot find anything that I have missed.

Grateful for support. IIUC, we have an enterprise support agreement. If I need to do something to trigger that, let me know.

Regards,

Lars