Using a Cognito custom attribute as a principal tag in an IAM policy condition is not working

Here's the setup:

• User Pool custom attribute: custom:journalSubscription
• User Pool app client: has read/write permission for the custom attribute
• Example user: has custom attribute custom:journalSubscription set to true
• Identity Pool ABAC custom mapping: "Attribute name" of custom:journalSubscription ---maps to---> "Tag key for principal" of journalSubscription
• IAM policy: uses a condition for "StringEquals" where "aws:PrincipalTag/journalSubscription" must equal "true"

Problem: the SDK call fails with this error:

User: <<AUTH_ROLE>> is not authorized to perform: dynamodb:GetItem on resource: <<ARN_FOR_MY_DynamoDB_TABLE>> because no identity-based policy allows the dynamodb:GetItem action

Note: the SDK call works fine with an IAM policy that uses a condition for a non-custom attribute such as "aws:PrincipalTag/email". It's just that for custom attributes, the call fails.

How can I make this work?