How Does the kms:CallerAccount Condition Work

How exactly does the kms:CallerAccount Condition work in a key policy? I've set up an SNS topic that is encrypted, and is triggered by a CloudWatch alarm. A CloudWatch alarm will fail publishing to SNS when using the default SNS KMS key which has the following policy

{
    "Version": "2012-10-17",
    "Id": "auto-sns-1",
    "Statement": [
        {
            "Sid": "Allow access through SNS for all principals in the account that are authorized to use SNS",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey*",
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "xxxxxxxxxxxx",
                    "kms:ViaService": "sns.us-east-1.amazonaws.com"
                }
            }
        },
        {
            "Sid": "Allow direct access to key metadata to the account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
            },
            "Action": [
                "kms:Describe*",
                "kms:Get*",
                "kms:List*",
                "kms:RevokeGrant"
            ],
            "Resource": "*"
        }
    ]
}

I can create a CMK KMS key with a roughly similar format that will work for CloudWatch to publish to SNS

{
    "Version": "2012-10-17",
    "Id": "auto-sns-1",
    "Statement": [
        {
            "Sid": "Allow access through SNS for all principals in the account that are authorized to use SNS",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey*",
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:DescribeKey"
            ],
            "Resource": "*",
        },
        {
            "Sid": "Allow direct access to key metadata to the account",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
            },
            "Action": [
                "kms:*"
            ],
            "Resource": "*"
        }
    ]
}

However, if the first statement includes the kms:CallerAccount Condition like so, CloudWatch will, again, fail to publish to SNS

{
            "Sid": "Allow access through SNS for all principals in the account that are authorized to use SNS",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey*",
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:DescribeKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "kms:CallerAccount": "xxxxxxxxxxxx"
                }
            }
        }

It would be my assumption that a call from anywhere in an account including CloudWatch would register the CallerAccount as the account it's coming from. So I can't understand why that particular condition is causing CloudWatch to fail in it's alarm publishing to SNS. So what exactly does kms:CallerAccount do and why isn't CloudWatch playing nice with it?