Signing CloudFront URLs with KMS

CloudFront uses RSA/PKCS-1.5/SHA1 algorithm for its signatures. KMS, for signing, requires minimum SHA2. That sounds like a serious gap (plus use of SHA1 is questionable all together) Is there a way to make CloudFront accept signatures of a different algorithm, or have KMS sign SHA1 digests?

P.S. This is different than https://repost.aws/questions/QUcCvy-SqtRQC3xfTbl_RXQQ/signing-cloud-front-ur-ls-with-aws-kms-encryption, I have my own code that I want to sign URLs with, and I want to use KMS, instead of disclosing private key to that code directly.