appsync graphql query fails with error type OpenSearch:UserIllegalArgumentException

we are trying to add an OpenSearch datasource to our existing AppSync setup. all other datasources for AppSync have been DynamDB up to this point

is this error type indicating a problem with the resolver mapping templates or a problem re AppSync accessing OpenSearch ie misconfigured access policies?

we are using the nodejs CDK to deploy via CodePipeline

we have added an OpenSearch Domain, and it is being populated by a lambda listening for writes to a DynamoDB table - this part is working

we have created an OpenSearch Datasource, and created a resolver using the following as request and response mapping templates

const requestTemplate = `{
  "version":"2017-02-28",
  "operation":"GET",
  "path":"/id/shipments/_search",
  "params":{
      "body":{
          "from":0,
          "to": 20
      }
  }
}`;

const responseTemplate = `{
  "shipments": [
    #foreach($entry in $context.result.hits.hits)
      #if( $velocityCount > 1 ) , #end
      $utils.toJson($entry.get("_source"))
    #end
  ],
  "total": -1
}`;

const datasourceId = `ShipmentsListDatasource`;
const datasource = new appsync.OpenSearchDataSource(
  this,
  getId(datasourceId, this.props),
  {
    domain: this.openSearchDomain,
    api: this.api,
  }
);

datasource.createResolver({
  typeName: GraphQLTypeName.Query,
  fieldName: "listShipments",
  requestMappingTemplate: appsync.MappingTemplate.fromString(
    requestTemplate
  ),
  responseMappingTemplate: appsync.MappingTemplate.fromString(
    responseTemplate
  ),
});

access to the OpenSearch domain has been configured like this

private configureOpenSearch() {
    const openSearchAppsyncRole = new iam.Role(
      this,
      "a-role-name-here",
      {
        assumedBy: new iam.ServicePrincipal("appsync.amazonaws.com"),
      }
    );

    const lambdaPolicyStatement = new iam.PolicyStatement({
      actions: ["es:*"],
      resources: [`${this.openSearchDomain.domainArn}/*`],
      principals: [new iam.ArnPrincipal(this.baseStack.lambdaRole.roleArn)],
    });

    const rolePolicyStatement = new iam.PolicyStatement({
      actions: ["es:*"],
      resources: [`${this.openSearchDomain.domainArn}/*`],
      effect: iam.Effect.ALLOW,
      notPrincipals: [openSearchAppsyncRole]
    })

    this.openSearchDomain.addAccessPolicies(lambdaPolicyStatement, rolePolicyStatement);
    this.openSearchDomain.grantRead(openSearchAppsyncRole);
    this.openSearchDomain.grantIndexReadWrite(
      "id",
      this.shipmentsOpenSearchLambda
    );
  }

any requests to the graphql endpoint for this particular query return the following

{
	"data": null,
	"errors": [{
		"path": ["listShipments"],
		"data": null,
		"errorType": "OpenSearch:UserIllegalArgumentException",
		"errorInfo": null,
		"locations": [{
			"line": 3,
			"column": 5,
			"sourceName": null
		}],
		"message": "OpenSearch responded with an error: Bad Request"
	}]
}